AUTHENTICATED 
US. GOVERNMENT 
INFORMATION ^ 


EVALUATING PRIVACY, SECURITY, AND FRAUD 
CONCERNS WITH OBAMACARE’S INFORMATION 
SHARING APPARATUS 

JOINT HEARING 

BEFORE THE 

SUBCOMMITTEE ON ENERGY POLICY, 
HEiCLTH CARE AND ENTITLEMENTS 

OF THE 

COMMITTEE ON OATRSIGHT 
AND GOATRNMENT REFORM 

AND THE 

SUBCOMMITTEE ON CYBERSECURITY, 
INFRASTRUCTURE PROTECTION, 

AND SECURITY TECHNOLOGIES 

OF THE 

COMMITTEE ON HOMELAND SECURITY 
HOUSE OF REPRESENTATDT]S 

ONE HUNDRED THIRTEENTH CONGRESS 

FIRST SESSION 

JULY 17, 2013 

Serial No. 113-66 

(Committee on Oversight and Government Reform) 

Serial No. 113-25 

(Committee on Homeland Security) 

Printed for the use of the Committee on Oversight and Government Reform 



Available via the World Wide Weh: http://www.fdsys.gov 
http://www.house.gov/reform 


U.S. GOVERNMENT PRINTING OFFICE 
86-193 PDF WASHINGTON : 2014 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 


COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM 

DARRELL E. ISSA, California, Chairman 


JOHN L. MICA, Florida 

MICHAEL R. TURNER, Ohio 

JOHN J. DUNCAN, JR., Tennessee 

PATRICK T. McHENRY, North Carolina 

JIM JORDAN, Ohio 

JASON CHAFFETZ, Utah 

TIM WALBERG, Michigan 

JAMES LANKFORD, Oklahoma 

JUSTIN AMASH, Michigan 

PAUL A. GOSAR, Arizona 

PATRICK MEEHAN, Pennsylvania 

SCOTT DesJARLAIS, Tennessee 

TREY GOWDY, South Carolina 

BLAKE FARENTHOLD, Texas 

DOC HASTINGS, Washington 

CYNTHIA M. LUMMIS, Wyoming 

ROB WOODALL, Georgia 

THOMAS MASSIE, Kentucky 

DOUG COLLINS, Georgia 

MARK MEADOWS, North Carolina 

KERRY L. BENTIVOLIO, Michigan 

RON Desantis, Florida 


ELIJAH E. CUMMINGS, Maryland, Ranking 
Minority Member 

CAROLYN B. MALONEY, New York 
ELEANOR HOLMES NORTON, District of 
Columbia 

JOHN F. TIERNEY, Massachusetts 

WM. LACY CLAY, Missouri 

STEPHEN F. LYNCH, Massachusetts 

JIM COOPER, Tennessee 

GERALD E. CONNOLLY, Virginia 

JACKIE SPEIER, California 

MATTHEW A. CARTWRIGHT, Pennsylvania 

MARK POCAN, Wisconsin 

TAMMY DUCKWORTH, Illinois 

ROBIN L. KELLY, Illinois 

DANNY K. DAVIS, Illinois 

PETER WELCH, Vermont 

TONY CARDENAS, California 

STEVEN A. HORSFORD, Nevada 

MICHELLE LUJAN GRISHAM, New Mexico 


Lawrence J. Brady, Staff Director 
John D. Cuaderes, Deputy Staff Director 
Stephen Castor, General Counsel 
Linda A. Good, Chief Clerk 
David Rapallo, Minority Staff Director 


Subcommittee on Energy Policy 

JAMES LANKF 
PATRICK T. McHENRY, North Carolina 
PAUL GOSAR, Arizona 
JIM JORDAN, Ohio 
JASON CHAFFETZ, Utah 
TIM WALBERG, Michigan 
PATRICK MEEHAN, Pennsylvania 
SCOTT DesJARLAIS, Tennessee 
BLAKE FARENTHOLD, Texas 
DOC HASTINGS, Washington 
ROB WOODALL, Georgia 
THOMAS MASSIE, Kentucky 


Health Care and Entitlements 

I, Oklahoma, Chairman 

JACKIE SPEIER, California, Ranking 
Minority Member 
ELEANOR HOLMES NORTON, District of 
Columbia 

JIM COOPER, Tennessee 

MATTHEW CARTWRIGHT, Pennsylvania 

TAMMY DUCKWORTH, Illinois 

DANNY K. DAVIS, Illinois 

TONY CARDENAS, California 

STEVEN A. HORSFORD, Nevada 

MICHELLE LUJAN GRISHAM, New Mexico 


(H) 



COMMITTEE ON HOMELAND SECURITY 

Michael T. McCaul, Texas, Chairman 


Lamar Smith, Texas 

Peter T. Kmc, New York 

Mike Rogers, Alabama 

Paul C. Broun, Georgia 

Candice S. Miller, Michigan, Vice Chair 

Patrick Meehan, Pennsylvania 

Jeff Duncan, South Carolina 

Tom Marino, Pennsylvania 

Jason Chaffetz, Utah 

Steven M. Palazzo, Mississippi 

Lou Barletta, Pennsylvania 

Chris Stewart, Utah 

Richard Hudson, North Carolina 

Steve Daines, Montana 

Susan W. Brooks, Indiana 

Scott Perry, Pennsylvania 

Mark Sanford, South Carolina 


Bennie G. Thompson, Mississippi 
Loretta Sanchez, California 
Sheila Jackson Lee, Texas 
Yvette D. Clarke, New York 
Brian Higgins, New York 
Cedric L. Richmond, Louisiana 
William R. Keating, Massachusetts 
Ron Barber, Arizona 
Dondald M. Payne, Jr., New Jersey 
Beto O’Rourke, Texas 
Tulsi Gabbard, Hawaii 
Filemon Vela, Texas 
Steven A. Horsford, Nevada 
Eric Swalwell, California 


Greg Hill, Chief of Staff 

Michael Geffroy, Deputy Chief of Staff ! Chief Counsel 
Michael S. Twinchek, Chief Clerk 
Lanier Avant, Minority Staff Director 


SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, 
AND SECURITY TECHNOLOGIES 


Patrick Meehan, Pennsylvania, Chairman 


Mike Rogers, Alabama 

Tom Marino, Pennsylvania 

Jason Chaffetz, Utah 

Steve Daines, Montana 

Scott Perry, Pennsylvania 

Michael T. McCaul, Texas (ex officio) 


Yvette D. Clarke, New York 

William R. Keating, Massachusetts 

Filemon Vela, Texas 

Steven A. Horsford, Nevada 

Bennie G. Thompson, Mississippi (ex officio) 


Alex Manning, Subcommittee Staff Director 
Dennis Terry, Subcommittee Clerk 


(III) 




CONTENTS 


Page 

Hearing held on July 17, 2013 1 

WITNESSES 

Mr. Alan R. Duncan, Assistant Inspector General for Security and Informa- 
tion Technology Services, Treasury Inspector General for Tax Administra- 
tion 

Oral Statement 9 

Written Statement 11 

The Hon. Daniel Werfel, Principal Deputy Commissioner, Internal Revenue 
Service 

Oral Statement 22 

Written Statement 24 

The Hon. Marilyn B. Tavenner, Administrator, Centers for Medicare and 
Medicaid Services, U.S. Department of Health and Human Services 

Oral Statement 29 

Written Statement 31 

Mr. John Dicken, Director, Health Care, U.S. Government Accountability 
Office 

Oral Statement 39 

Written Statement 41 

APPENDIX 

Letter from Mr. Daniel I. Werfel 101 

Opening Statement from Ranking Member Yvette D. Clarke 102 

ACA Implementation IRS Oversight Board Briefing submitted by Mr. Jordan 103 
Statement for the Record submitted by Ranking Member Bennie G. Thomp- 
son 113 


(V) 




EVALUATING PRIVACY, SECURITY, AND 
FRAUD CONCERNS WITH OBAMACARE’S IN- 
FORMATION SHARING APPARATUS 


Wednesday, July 17, 2013 

House of Representatives, 

Subcommittee on Energy Policy, Health Care and 
Entitlements, Committee on Oversight and 
Government Reform, joint with the 
Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, Committee on 

Homeland Security, 

Washington, D.C. 

The subcommittees met, pursuant to call, at 10:00 a.m., in Room 
2154, Rayburn House Office Building, Hon. James Lankford [chair- 
man of the Subcommittee on Energy Policy, Health Care and Enti- 
tlements, Committee on Oversight and Government Reform] pre- 
siding. 

Present: Representatives Lankford, Meehan, Gosar, McHenry, 
Jordan, Walberg, DesJarlais, Perry, Woodall, Black, Issa (ex offi- 
cio), Speier, Clarke, Cardenas, Lujan Grisham, Maloney, and 
Cummings (ex officio). 

Staff present from the Committee on Government Reform: Kurt 
Bardella, Senior Policy Advisor; Brian Blase, Senior Professional 
Staff Member; Molly Boyl, Senior counsel and Parliamentarian; 
Lawrence J. Brady, Staff Director; Caitlin Carroll, Deputy Press 
Secretary; Katelyn E. Christ, Professional Staff Member; John 
Cuaderes, Deputy Staff Director; Adam P. Fromm, Director of 
member Services and Committee Operations; Linda Good, Chief 
Clerk; Meinan Goto, Professional Staff Member; Tyler Grimm, Sen- 
ior Professional Staff Member; Christopher Hixon, Deputy Chief 
Counsel, Oversight; Mark D. Marin, Director of Oversight; Emily 
Martin, Counsel; Scott Schmidt, Deputy Director of Digital Strat- 
egy; Rebecca Watkins, Deputy Director of Communications; Jaron 
Bourke, Minority Director of Administration; Yvette Cravins, Mi- 
nority Counsel; Susanne Sachsman Grooms, Minority Deputy Staff 
Director/Chief Counsel; Adam Koshkin, Minority Research Assist- 
ant; Suzanne Owen, Minority Health Policy Advisor; Safiya Sim- 
mons, Minority Press Secretary; and Mark Stephenson, Minority 
Director of Legislation. 

Staff present from the Committee on Homeland Security: Alex 
Manning, Subcommittee Staff Director; Kevin Gundersen, Senior 
Professional Staff Member; Erik Peterson, Staff Assistant; Mar- 
garet Anne Moore, Special Assistant to the Chief of Staff; Michael 
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McAdams, Deputy Press Secretary; Natalie Nixon, Deputy Chief 
Clerk; Christopher Schepis, Minority Senior Professional Staff 
Member; and Adam Comis, Minority Communications Director. 

Mr. Lankford. Committee will come to order. I would like to 
begin this hearing by stating the Oversight Committee mission 
statement. We exist to secure two fundamental principles. First, 
Americans have the right to know the money Washington takes 
from them is well spent. Second, Americans deserve an efficient, ef- 
fective government that works for them. Our duty on the Oversight 
and Government Reform Committee is to protect these rights. Our 
solemn responsibility is to hold government accountable to tax- 
payers because taxpayers do have a right to know what they get 
from their government. We will work tirelessly in partnership with 
citizen watchdogs, deliver the facts to the American people, and 
bring genuine reform to the federal bureaucracy. This is the mis- 
sion of the Oversight and Government Reform Committee. 

Today’s hearing is focused on the purpose and design of the huge 
information-sharing apparatus being constructed to implement the 
Affordable Care Act. Therein, we’ll examine who will have access 
to sensitive personal information, who will contribute data, how the 
government will protect this information, and why this information 
is necessary at all. We have the unusual combination of the IRS 
and HHS in our panel today because to accomplish the legal re- 
quirements of the ACA, it must work together to combine data 
from millions of people to allow exchanges to verify the subsidies 
and manage the intricacies of the Affordable Care Act. 

This is an oversight hearing on the implementation of the law as 
well as with Homeland Security. The people giving testimony today 
did not write the law. They are only trying to make this confusing 
system work, so we get that. So we’ll have a lot of questions back 
and forth today to be able to process on how to get this accom- 
plished. We are not going to try to hold you responsible for the ori- 
gin of the law, but we will have decisions about the variety of deci- 
sions that you have made to prepare to implement and enforce the 
law. 

The other large amount of information sharing raises the risk of 
identity theft and other types of misuse. This risk is even more pro- 
nounced since the Department of Health and Human Services has 
missed several of their own self-imposed deadlines, and we’ll want 
to know where we are on that. 

A document obtained for GAO revealed that as of April 2013, the 
department had only completed 20 percent of its work to establish 
appropriate privacy protections and capacity to accept, store, asso- 
ciate, and process documents from an individual applicant. Today, 
we hope to hear about the progress of the other 80 percent of that 
work. Two weeks ago. Treasury announced that they would delay 
the employer mandate until 2015. Just days later, the administra- 
tion released another 650 pages of regulations that limited the de- 
gree of applicant verification required by exchanges during the first 
year of implementation. 

Instead of verifying, applicants will now be on the honor system 
for the subsidy. The potential for fraud and honest mistakes are 
multiplied since no one understands this law, the subsidies stand- 
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ards, how the administration defines a qualified employer health 
plan or a myriad of other issues. 

While I believe that the employer mandate is a terrible public 
policy that’s already hurt hundreds of thousands of Americans 
through fewer jobs or reduced work hours, the administration can- 
not just rewrite the law on the fly. Moreover, because of the Rube 
Goldberg construction of Obamacare, the delay in the employer 
mandate and refusal to do proper applicant verification means that 
the Federal Government will waste billions of dollars next year 
subsidizing people’s health insurance who are ineligible for cov- 
erage under the law. 

The IRS has recently become highly politicized under this Ad- 
ministration around the implementation of the ACA and the rights 
of people from all political perspectives to operate on a nonprofit 
and in a nonprofit organization. After the passage of the ACA, the 
IRS Commissioner Shulman visited the White House over 100 
times in a 2-year period to discuss Obamacare implementation. 
Shulman’s predecessor at IRS, Mark Everson, shared his concern 
at an Oversight Committee hearing last year about the problem 
with the IRS being so deeply involved with Obamacare and the se- 
rious threat this poses to the historic independence of the IRS. 

Sarah Hall Ingram has led IRS’ implementation of the Affordable 
Care Act for 3 years. She was originally invited to testify at this 
hearing. However, because she may be also intricately connected to 
the IRS’ targeting of conservative nonprofit groups, I have accepted 
Acting IRS Commissioner Werfel’s offer to testify in her place. 
There are many questions and issues facing the IRS, but today’s 
focus is on the data hub and on data sharing that is required be- 
cause of the ACA. I welcome Commissioner Werfel’s testimony 
today. 

Marilyn Tavenner, administrator for CMS, finally, after a very 
long process there as acting, is also here today to field questions 
related to the Federal data hub. Hopefully, she’s prepared to ad- 
dress specific concerns about the possible cyber-related attacks, as 
well as the recent AP story from last weekend that the uninsured 
could fall victim to fraud, identity theft, or other crimes at the 
hands of some of the very people who are supposed to help them 
enroll. 

I welcome the attendance of all of our witnesses today, and we’ll 
spend time introducing everyone in the moments ahead. 

With that, I would like to recognize the ranking member of Over- 
sight committee, Ms. Speier. 

Ms. Speier. Mr. Chairman, thank you, and I thank you and 
Chairman Meehan for calling today’s important hearing, and I 
thank all of the witnesses for being here to participate. 

The Affordable Care Act extends health insurance coverage to 
tens of millions and uninsured and underinsured Americans to help 
them obtain necessary medical care. Already, millions of Americans 
have directly benefitted from the Affordable Care Act: 2.5 million 
young adults, my son being one of them, now have health insur- 
ance on their parent’s plan. The parents of over 17.6 million chil- 
dren with pre-existing conditions no longer have to worry that their 
children will be denied coverage. More than 32.5 million seniors 
have already received one or more free preventative services, in- 
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eluding the new annual wellness visit. Starting this October, mil- 
lions more Americans will be able to easily compare and choose af- 
fordable private health insurance plans for the first time when 
health exchanges open in every State. Many low-income applicants 
will qualify for subsidies. Those shopping for insurance will no 
longer have to worry that they will be denied coverage because of 
a pre-existing condition or worry that one serious illness and hos- 
pital stay will exhaust their lifetime limits, leading them to finan- 
cial bankruptcy. 

Some have speculated that Obamacare will not work or at least 
that the October deadline might not be met. A June 2013 GAO re- 
port raised the issue of some missed deadlines but ultimately con- 
cluded that implementation was feasible and on track. This is a 
welcome news, and I look forward to hearing from the GAO today 
on how the process is proceeding. I also would like to know what 
impact sequestration has on the ability of those who are supposed 
to implement the Affordable Care Act are being frustrated. 

GAO also determined that CMS has developed contingency plans 
to be ready for unexpected development so the exchanges will be 
able to open on schedule in October. HHS has long experience with 
complicated health systems involving sensitive personal informa- 
tion, like Medicare, Medicaid and Medicare Part D. Getting the 
healthcare exchanges up and running is without a doubt a highly 
complex undertaking, made more complicated by the decisions of 
many States to have the Federal Government run their exchanges, 
and it is unlikely to be perfect out of the gate. But no major pro- 
gram has launched without a few hiccups. 

I am pleased there are concrete plans to mitigate any disruptions 
of the exchange system and to ensure the integrity of data hub 
communications between HHS, the IRS, DHS, and the Social Secu- 
rity Administration, States that other agencies involved in deter- 
mining applicants’ eligibility. At the same time, the scope of this 
new program requires that we ensure that it is carried out in a 
way that protects the privacy and security of those applying for in- 
surance and prevents fraud by those seeking subsidies. 

The privacy of enrollee information is non-negotiable. Legitimate 
concerns have been raised about whether the security structure of 
the data hub that CMS has put into place will be sufficient when 
the exchange is launched in October. Today, I hope to learn from 
these witnesses the actual details of efforts to ensure security and 
privacy in the data hub. I am encouraged by Ms. Tavenner’s writ- 
ten statement debunking the notion that in pursuit of access to 
care, we have to sacrifice privacy. Such statements must be backed 
by action and all parties to the transaction must have the same 
commitment. Mere promises are not enough, but we should also lis- 
ten to the facts and not pre-judge the efforts of thousands of dedi- 
cated Federal and State employees working to make this law a re- 
ality. 

At the same time. I’m troubled by recent reports of the IRS’ un- 
intentional exposure of personal information submitted by organi- 
zations seeking tax exemption under section 527 of the IRC. I am 
pleased that the agency moved swiftly to correct the situation when 
it was detected. Such privacy breaches are unacceptable and should 
not happen at all. 
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Lastly, Mr. Chairman, I am concerned by the efforts of some to 
sabotage the implementation of the Affordable Care Act by making 
sweeping allegations about the theoretical potential for fraud and 
other possible failings. I hope this hearing today is not an attempt 
to do that. The purpose of this committee, as you have pointed out 
in your opening statement, is to conduct oversight of programs like 
the Affordable Care Act, to ensure that it is carried out properly, 
and to uncover waste, fraud, and abuse. 

I look forward to additional hearings over the next several years 
once we see the program actually in operation. I also hope Con- 
gress will not deny the funding needed to ensure that the ex- 
changes and the data hub can operate in a safe and secure manner. 
In fact, I hope to learn from our witnesses today how sequestration 
and budget cuts have impacted their ability to implement the law 
and protect enrollees’ privacy. 

The Affordable Care Act is the law of the land. It has been 
upheld by the United States Supreme Court. Now, Congress’ duty 
is to oversee its implementation, not to seek to delay it or cause 
it to fail in its mission. 

Today’s hearing is a distinct opportunity to address legitimate 
concerns with those lead agencies charged with bringing the ex- 
change system to fruition. I look forward to their testimony. 

Mr. Lankford. I now recognize the chairman of the Homeland 
Security Subcommittee on Cybersecurity, Infrastructure Protection, 
and Security Technologies, Mr. Meehan. 

Mr. Meehan. I thank the gentleman, and I thank the members 
of both committees who have participated in today’s hearing. 

I thank the witnesses for their presence today, and all the mem- 
bers of the Subcommittee on Cybersecurity, Infrastructure Protec- 
tion, and Security Technologies. 

This hearing comes at a critical time in implementing one of the 
key aspects of the President’s healthcare law, the Federal data 
hub. It’s not my intention to relitigate the Affordable Care Act at 
today’s hearing but rather to provide crucial oversight over the gov- 
ernment’s establishment of the Federal data hub. As a result of the 
Affordable Care Act, the Department of Health and Human Serv- 
ices is building an enormous data-sharing network between State 
health insurance exchanges and numerous Federal agencies. 

The purpose of the data-sharing hub is for the government to de- 
termine whether Americans who enter the exchange are eligible to 
do so. As the chairman of the House Homeland Security Commit- 
tee’s Cybersecurity Subcommittee, we’ve looked extensively at the 
access to and management of personally identifiable information by 
the Federal Government. I don’t need to explain to this committee 
or to our witnesses or to the American public from where our con- 
cerns emanate. We’ve witnessed all too recently how sensitive in- 
formation can be mismanaged by the Federal Government. We 
have seen how cyber attacks from adversarial nations who seek to 
infiltrate our country’s military and intelligence information have 
breached our most secure networks. We’ve watched — we have 
watched as thieves have stolen our top innovators’ intellectual 
property. We have witnessed America’s financial services institu- 
tions succumb to barrages of attacks by those who wish to do our 
nation and our very life harm. 
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These are the institutions that have the best in the form of pro- 
tections at this point in time. FBI Director Robert Mueller said 
that the cyber threat will be the number one threat to our country, 
a remarkable thing to be said. NSA Director Keith Alexander 
called a loss of intellectual property through cyber espionage the 
greatest transfer of wealth in history. And Former Secretary of De- 
fense Leon Panetta said the cyber attacks could shift from espio- 
nage to destruction, the variability to get inside this network and 
to destroy the ability for it to communicate at all if it is not a se- 
cure system. And the Director of National Intelligence, James Clap- 
per has said that potentially disruptive and even lethal technology 
continues to become easier to access and that we foresee a cyber 
environment in which emerging technologies are developed and im- 
plemented before security responses can be put in place. This is the 
best of our systems. 

I would like to see how this system is set up to protect against 
those kinds of threats. These are serious people that are talking 
about these issues. We’ve been charged with securing the most crit- 
ical data in the world, and although no one could certainly make 
the argument that the personally identifiable information of mil- 
lions of Americans is just as critical and critical to our Nation’s 
data security. 

Javelin Strategy and Research felt that $12.6 million Americans 
are victims of identity theft each year. And a February 2000 study 
of the Center for Strategic and International Studies found that 85 
percent of government and private sector network breaches took 
months to be discovered. Pricewaterhouse estimates that one-third 
of breaches come from employees. We are going to literally have 
thousands, 22,000 estimated alone, navigators just in the State of 
California. 

With over 20 million Americans estimated to enter into the ex- 
change over the next 5 years, this leads to the question, which I 
believe must be answered at today’s hearings. Are you ready? Does 
CMS have the tools in place to secure the information for over 20 
million Americans? Who and how many will have access to this in- 
formation? How do we ensure competence in those who have ac- 
cess? I have grave concerns about the ability to establish sufficient 
security in this massive unprecedented network by October 1st — 
that’s just 75 days away — when our most secure networks are 
being breached every single day. Every sector, every agency, every 
industry concerned with security will tell you they are only as 
strong has the weakest link. I hope that our panel today can allay 
some of these concerns, but I fear that our government is about to 
embark in an overwhelming task that will at best carry an 
unfathomable price tag and at worse place targets on every Amer- 
ican who enters the exchange. 

I look forward to hearing from you today, and I yield back my 
time. 

Mr. Lankford. Now recognize the chairman of the full com- 
mittee for Oversight and Government Reform, Mr. Issa. 

Mr. IsSA. Thank you, Mr. Chairman, and thank you for holding 
this important hearing. As my colleague from California, Ms. 
Speier, said, Obamacare is the law of the land. What she didn’t say 
is sequestration is the law of the land, and both were signed by 
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this President. So my expectation is that the President has to know 
that he has to live within the budget he signed; he has to live with- 
in the funding he signed, that the cost overruns that CBO now 
knows are in Obamacare — the “it’s going to be balanced,” to “it’s 
going to be nearly balanced,” to “it’s going to be a trillion dollar 
train wreck” is coming, but that’s not the subject today. 

The subject today, quite frankly, is the privacy of the American 
people and the accuracy of the data, and waste, fraud, and abuse. 
I have less confidence in today’s hearing for only one reason: A key 
witness, Sarah Hall Ingram, who has 3 years of full-time experi- 
ence since the passage of the bill, in some inexplicable way finds 
herself unable to be here, while I’m uniquely offered her boss. And 
I appreciate the Commissioner being here, but that’s unheard of 

Time and time again this committee has asked for Cabinet offi- 
cers, only to appropriately find somebody beneath that person who 
is able to answer our questions, so today we are going to have the 
top boss in his 65 days and probably his 55th appearance on Cap- 
itol Hill to answer questions. And I appreciate his presence, and 
I’m not trying to belittle the technical staff with him. But it goes 
to the root of this is a program so grand and so great that it pales 
Medicare in its shadow, it pales Medicaid in its shadow, and that’s 
what we’re dealing with. 

The data of every American potentially will be transferred or will 
be transferred. Now, let’s understand that. It’s not being trans- 
ferred to one place. In the cyber world, you have to look at eveiy 
end tentacle. Somebody at some station, somewhere in Chico, Cali- 
fornia, is going to have an outlet to the California exchange that 
is going to ultimately be connected to that data. So, although the 
IRS might be able to put the database in an acceptable system and 
transfer it, who are they transferring it to? Ms. Speier mentioned 
CMS. I think also the chairman mentioned it. CMS. Now, this com- 
mittee has recent experience. CMS is the organization that sent 
$15.5 billion to the State of New York in compensation excess of 
Federal law. And then, when we approached them, they wanted to 
phase it out over time. Well, they were overpaying vast amounts 
of money to the State of New York, to New York institutions owned 
and operated by the State. 

That wasn’t a long time ago. Mr. Chairman, that was this Con- 
gress. We still don’t have that $15.5 billion, so when we talk about 
waste, fraud, and abuse and we talk about the disclosure of per- 
sonal information, we are dealing where disclosures that occurred 
under the IRS’ watch under this President. We are dealing with 
waste, fraud, and abuse estimated by the inspector general to be 
greater than the Army’s budget. We lose more than the Army con- 
sumes in Medicare and Medicaid, so a program that’s statutorily — 
and the gentlelady from California is right; the law is the law. The 
law says that we will not subsidize unless the State has an ex- 
change. And yet, unilaterally, the President has proposed that 
State After State who chose not to be part of it are to have sub- 
sidies. So instead of having some States, we now will have all the 
States. Those who chose to do it, will be subsidized. Those who 
choose not to, out of thin air, without statutory approval, there will 
be a Federal exchange that will then be subsidized. Those are some 
of the things. 
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Now, the gentlelady from California is a friend and a colleague, 
but we differ on some parts. She thinks that Obamacare has done 
a lot already. I think that it has already run up the cost of 
healthcare. And when the President determines, without statutory 
approval, that one portion will not be implemented for an extra 
year, that on employers, because, of course, it’s not ready, and yet 
he thinks that an individual mandate and the standing up of ex- 
changes and the forcing of every individual in America into a 
healthcare plan not yet defined, with a database not yet secure, is 
okay? 

I’ve got to tell them, I have doubts, not about if Obamacare will 
some day be ready, if all the bugs can be worked out, but with no 
pilot and no consistency of the legislation to the actual implementa- 
tion, I’ve got to tell you, we are at least a year further out on not 
just the President’s slowdown but on the entire program, and I 
think today we are going to see exactly that, that the plans are 
there but the pilot and test, and if you will, proof of concept being 
tested, with those thousands or hundreds of thousands of terminal 
access points that could be what the ranking — the chairman from 
Homeland Security said, that weak link needs to be tested. I look 
forward to hearing all of the testimony and particularly the ques- 
tions as to the weakest link. 

And I yield back. 

Mr. Lankford. Thank you. All members will have 7 days to sub- 
mit their opening statements for the record. 

We will now recognize our panel. 

Before I recognize each individual, I would like to ask unanimous 
consent that our colleague from Tennessee, Mrs. Black, be allowed 
to participate in today’s hearing. 

Ms. Speier. Mr. Chairman, can I also request that the ranking 
member from the Committee on Homeland Security subcommittee, 
Ms. Yvette Clarke’s statement be read — be added to the record as 
well. 

Mr. Lankford. Absolutely, without objection, on both of those. 

So ordered. 

Mr. Lankford. Mr. Alan Duncan is the assistant inspector gen- 
eral for security and information technology services, the Office 
Treasury Inspector General for Tax Administration. 

Mr. Terence Milholland is the chief information officer for the 
IRS. 

Thanks for being here. 

Mr. Danny Werfel is the principal deputy commissioner of the In- 
ternal Revenue Service. 

Mr. Werfel, how many hearings have you been in so far? The 
chairman had mentioned that. 

Mr. Werfel. I think this is my sixth since arriving here. 

Mr. Lankford. Only six. Okay. We have got to get you to the 
double digits faster. 

Mr. Werfel. I have another one right after this one. 

Mr. Lankford. Well, we will do our best on that. 

Ms. Speier. We would like to — we would like for you to run the 
IRS, though, too. 

Mr. Werfel. I am doing that, too. 
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Mr. Lankford. Yeah. The Honorahle Marilyn Tavenner is the 
administrator for the Centers of Medicare and Medicaid Services. 

Mr. Henry Chao is the deputy chief information officer and dep- 
uty director of the Office of Information Services in the Center for 
Medicare and Medicaid Services. 

Thanks for being here. 

Mr. John Dicken is the healthcare director for the U.S. Govern- 
ment Accountability Office. 

Thank you as well. 

Mr. Lankford. Pursuant to committee rules, all witnesses are 
sworn in before they testify. 

Will you please stand, raise your right hands? 

Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth and nothing but 
the truth, so help you God? 

Thank you. You may be seated. 

Let the record reflect that all witnesses have answered in the af- 
firmative. In order to allow time for discussion, we would ask you 
to limit your testimony to 5 minutes. I think all of you have been 
here before, some more recently than others, obviously. There is a 
clock that’s in front of you to give you a quite countdown. Your 
written statement is a part of the entire record, so we will give you 
5 minutes of time here. 

And Mr. Duncan, I think you get to be the lead off hitter in this 
one. 


STATEMENT OF ALAN R. DUNCAN 

Mr. Duncan. Thank you. 

Chairman Lankford, Chairman Meehan, Ranking Member 
Speier, Ranking Member Clarke, the members of the — and other 
members of the subcommittees, thank you for the opportunity to 
testify on the Treasury inspector general for tax administration’s 
views and observations on the Internal Revenue Service’s informa- 
tion technology support for the Affordable Care Act, how tax infor- 
mation will be provided and the safeguards needed to protect tax- 
payers’ data. 

The Affordable Care Act contains an extensive array of tax law 
changes that present many challenges for the IRS. The ACA will 
require collaboration and coordination among many organizations. 
The IRS’ role with respect to the ACA is to implement and admin- 
ister the ACA provisions that impact tax administration 

This requires developing and implementing computer programs 
that support the State and Federal insurance exchanges and the 
collection of taxes, fees, and penalties that would help fund the 
ACA. 

The IRS’ 2014 budget request includes $440 million for imple- 
mentation of the ACA, the largest component of which is $306 mil- 
lion for the implementation of information technology systems and 
communications. The ACA health insurance enrollment starts in 
October 2013. The IRS will be receiving health insurance related 
information starting in 2014 from many sources, including individ- 
uals, employers, insurance companies, and the health exchanges. 

The information technology security challenges for the ACA are 
considerable and include implementation of interdependent projects 
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in a very short span of time, evolving requirements, coordination 
with internal and external stakeholders, and cross agency system 
integration and testing. The IRS implementation plan for ACA ex- 
change provisions include providing information on eligibility, cal- 
culating the maximum advanced premium tax credit and recon- 
ciling ACA tax credits with reportable income. These provisions re- 
quire the development of new systems, modification of existing sys- 
tems, new fraud detection systems, and the deployment of inter- 
agency communication portals. 

The ACA health insurance enrollment process starts when an ap- 
plicant applies at the exchange. To provide support for enrollment, 
the IRS has developed the income and family size verification ap- 
plication that will provide exchanges with an applicant’s tax infor- 
mation. Our audit of this application determined that the project 
was on schedule and the IRS was managing knowing information 
technology risk. However, we do have concerns that the Federal tax 
data provided to the exchanges may not be adequately protected in 
accordance with the IRS’ safeguards program. 

To assist applicants in the exchanges with selection of the appro- 
priate insurance premium, tax credits, the IRS also developed the 
advanced premium tax credit application that will inform an appli- 
cant of the maximum amount of advanced insurance premium that 
they would be eligible to apply for. 

In the 2015 tax filing season, the IRS will be responsible for rec- 
onciling the advanced premium tax credit taken with actual income 
and family size during the tax year, which could result in a refund- 
able credit or additional tax liability. The IRS has developed a plan 
to prevent and detect fraud and abuse during tax return processing 
that includes ACA transactions. TIGTA does have concerns that 
the new fraud prevention systems and/or modifications to existing 
fraud-detection systems may not be operational in sufficient time 
to identify ACA-related fraud schemes. We believe the IRS needs 
to complete and embed predicted analytical ACA fraud models into 
the tax filing process prior to the start of the 2015 tax filing sea- 
son. 

The HHS and IRS have jointly developed an interagency test 
plan for the upcoming health insurance enrollment. We are con- 
cerned that final integration testing for all the agency systems, 
communications, and the Federal and State exchanges may not be 
completed before the start of the enrollment period in 2013. The 
lack of adequate testing could result in significant delays and er- 
rors in accepting and processing ACA applications for health insur- 
ance coverage. 

Because of the extensive changes to numerous Tax Code provi- 
sions, concerns related to ACA systems and security and the need 
for interagency coordination, TIGTA plans to continue strategic 
oversight of evolving ACA implementations. Our plan requires 
audit investigative resources to evaluate IRS’ role in ACA pro- 
grams and the protection of taxpayer’s data. 

Chairman Lankford, Chairman Meehan, members of the commit- 
tees, thank you for the invitation to appear. 

Mr. Lankford. Thank you. 

[Prepared statement of Mr. Duncan follows:] 
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TESTIMONY OF 

Alan R. Duncan, Assistant Inspector General for Audit 
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION 
before the 

COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM, SUBCOMMITTEE ON 
ENERGY POLICY, HEALTH CARE AND ENTITLEMENTS AND COMMITTEE ON 
HOMELAND SECURITY, SUBCOMMITTEE ON CYBERSECURITY, 
INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES 
U S. HOUSE OF REPRESENTATIVES 

“ACA- Information Technology Readiness and Data Security” 

July 17. 2013 

Chairman Lankford, Chairman Meehan, Ranking Member Speier, Ranking 
Member Clarke, and Members of the Subcommittees, thank you for the opportunity to 
testify on the Internal Revenue Service’s (IRS) Information Technology systems for the 
Affordable Care Act, how information will be sent and exchanged, and the safeguards to 
protect taxpayer data. 

The Patient Protection and Affordable Care Act' and the Health Care and 
Education Reconciliation Act of 2010 that made amendments to it (collectively referred 
to as the “ACA”) contain an extensive array of tax law changes that will present many 
challenges for the IRS in the coming years. The ACA provisions provide incentives and 
tax breaks to individuals and small businesses to offset health care expenses. They 
also impose penalties, administered through the tax code, for individuals and 
businesses that do not obtain health care coverage for themselves or their employees. 
The ACA represents the largest set of tax law changes in more than 20 years and 
represents a significant challenge to the IRS. 

The ACA will require coliaboration and coordination among many players 
including the IRS; the Departments of Health & Human Services (HHS), Treasury, 

Labor, Veterans Affairs, and Homeland Security; the Social Security Administration; 
State governments; and the private sector including insurers, employers, individuals, 
hospitals, practitioners, etc. 


' Pub. L. No. 1 1 1-148, 124 Stat. 1 19 (2010) (codified as amended in scattered sections of U.S. Code), as 
amended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat, 
1029. 
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The IRS’s role with respect to the ACA is to implement and administer its various 
provisions that have an impact on tax administration. This requires numerous actions, 
activities, and programs, such as revising or developing new forms, publications, and 
instructions; creating new computer programs; training IRS employees; revising Internal 
Revenue Manuals; issuing revenue procedures and regulations; and providing outreach 
to taxpayers and tax professionals. The effective dates of the ACA provisions range 
from Tax Year 2009 (retroactively) to 2018. 

While the Department of Health & Human Services will take the lead in 
developing the policy provisions of the Act, the IRS will be required to build new 
computer applications and business processes that do not exist within the current tax 
administration system and to modify existing systems and processes. The IRS’s Fiscal 
Year 2014 budget request includes additional funding needs of $440 million for 
continued efforts related to the implementation of the ACA. The largest component of 
this increase is $306 million for the implementation of the information technology 
changes needed to deliver income information, tax credits, and other ACA 
requirements. 

One major provision of the ACA is the requirement for individuals to maintain 
minimum essential health care coverage or face a continuous tax penalty. The penalty 
will be imposed on any taxpayer who, for any month after Calendar Year 2013, fails to 
maintain minimum essential health care coverage. Individuals can obtain health care 
coverage from their employers, purchase individual coverage, or obtain coverage 
through one of the State Exchanges or the Federal Exchange (collectively referred to as 
the Exchanges).^ 

The open enrollment period for the Exchanges starts in October 2013 and the 
first health insurance coverage year is 2014.^ With the ACA, the IRS will be receiving 
returns and health insurance-related information from many sources to support the 2015 
Filing Season. The Non-Exchange portion of the ACA includes additional taxes and 
fees as well as new tax filing requirements. The Non-Exchange provisions will require 
the IRS to develop systems to implement various ACA funding provisions, including 
computer applications to collect and process industry fees and taxes; ensure 


* Exchanges are intended to allow eligible individuals to obtain health insurance, and all Exchanges, 
whether State-based or established and operated by the Federal government, will be required to perform 
certain functions. 

® Open enrollment is the period of time that individuals who are eligible to enroll in a Qualified Health Plan 
can enroll in a plan at an Exchange. The open enrollment period is October 1, 2013 to March 31, 2014. 
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compliance with ACA provisions; and manage the collection and processing of ACA 
information returns. 

The information technology and security challenges for the ACA are considerable 
and include implementation of interdependent projects in a short span of time, evolving 
requirements, coordination with internal and external stakeholders, cross-agency 
system integration, and testing. ACA implementation will have a significant impact on 
existing systems, so there must be bandwidth to support all provisions. Finally, projects 
must be staffed with personnel who have the'required knowledge and skills to efficiently 
deploy new technologies. To manage these challenges, the IRS created a Project 
Management Office for the ACA within the Information Technology Services program 
area. 

Role of the IRS in Information Technology Support for the ACA 

The IRS’s implementation plan for ACA Exchange provisions includes providing 
information on eligibility and enrollment, developing calculations for the Advanced 
Premium Tax Credit,'* reconciling Premium Tax Credits® with reported taxable income, 
and developing new ACA information collection and processing systems. These 
provisions require development of new computer systems, modification of existing 
systems, revision and/or creation of new fraud detection systems, and deployment and 
testing of new interagency communication portals to support ACA operations. 

The ACA health coverage enrollment process starts when an applicant applies at 
the Federal or State Exchanges. The Social Security Administration will verify the 
applicant’s Social Security Number, lawful presence, and prisoner status. The 
Department of Homeland Security will provide the legal immigration status of the 
applicant and dependents. 

The enrollment process carried out by the HHS and the Exchanges is illustrated 
in Appendix 1. 

The Exchanges will request income and family size information for each 
applicant and family members who are qualified to apply for health insurance and will 
forward the request to the IRS. The HHS Data Services Hub provides the connections 


“ An Advanced Premium Tax Credit is paid in advance to a taxpayer’s insurance company to help cover 
the cost of premiums. 

® A refundable tax credit to assist individuals and families in purchasing health insurance coverage 
through an Affordable Insurance Exchange. 


3 



14 


for the Exchanges and all other Federal agencies, including the IRS. The HHS Data 
Services Hub is connected to the IRS through the IRS Transactional Portal 
Environment. 

The IRS, using Federal tax data, will determine the applicant’s historical 
household income, family size, filing status, adjusted gross income, taxable Social 
Security benefits, and other requested information. The IRS will then transmit the 
Federal tax data to the HHS Data Services Hub for delivery to the appropriate 
Exchange. The Exchanges will compare the IRS information with the information 
provided by the applicant and other available data. 

The Treasury Inspector General for Tax Administration (TIGTA) has issued a 
report on the IRS Income and Family Size Verification Project and found that the project 
was on schedule and the IRS was managing known information technology risks at the 
time the audit was conducted.® TIGTA made recommendations to improve the 
management of ACA changes to requirements and to use an integrated suite of 
automated tools to manage ACA requirements and application test cases. TIGTA 
remains concerned about the protection of confidential taxpayer data that will be 
provided to the State and Federal Exchanges, For this reason, we will include a review 
of the protection of taxpayer data by organizations outside of the IRS in our planned 
audit of ACA data security. 

The Exchanges will use the income and family size information received from the 
IRS as well as information provided by the applicant and other data sources in finalizing 
the income amounts and family size. The Exchanges will provide these final amounts to 
the IRS to calculate the Maximum Advanced Premium Tax Credit. The Exchanges will 
prepare an Advanced Premium Tax Credit request and forward it to the IRS for 
processing. TIGTA will be initiating an audit to review the accuracy of the data that the 
IRS provides to the HHS for use in enrolling individuals and calculating the Advanced 
Premium Tax Credit, and plans to issue a report in Fiscal Year 2014. 

The IRS developed the Advanced Premium Tax Credit application and calculator 
to determine each applicant’s eligibility for the Maximum Advanced Premium Tax Credit. 
The applicant chooses the amount of Advanced Premium Tax Credit desired up to the 
maximum amount provided by the IRS and selects and purchases a health insurance 
plan. 


® TIGTA, Ref. No. 2013-23-034, Affordable Care Act: The Income and Family Size Veiification Project: 
Improvements Could Strengthen the Internal Revenue Service's New Systems Development Process 
(Mar. 2013). 
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The flow of data for the Income and Family Size Verification Project and the 
calculation of the Advanced Premium Tax Credit are summarized in Appendix 2. 

The Department of the Treasury is notified by the Exchanges of the Advanced 
Premium Tax Credit amount selected and will fonward a check in the approved amount 
directly to the insurer. During each filing season, the IRS will reconcile the Advanced 
Premium Tax Credit originally claimed against the actual income and family size 
reported on individuals' tax returns. If the Credit amount is too low, the IRS will refund 
the remaining Credit to the taxpayer when the taxpayer files his or her tax return. If it is 
too high, the IRS will assess the additional Credit on the taxpayer’s account and attempt 
to collect it. 

There could be many reasons why the Credit is different when the tax return is 
filed. For example, the taxpayer’s income could have changed from the prior year when 
the taxpayer applied for health coverage, or the taxpayer's family size may have 
increased or decreased from the prior year. TIGTA is concerned that the potential for 
refund fraud and related schemes could increase as a result of processing ACA 
Premium Tax Credits unless the IRS builds, implements, updates, and embeds ACA 
predictive analytical fraud models into the tax filing process. 

Health insurance premium data and other ACA information will flow to the IRS 
directly from individuals, employers, and insurance providers before each tax filing 
season and will contain the critical data needed for processing tax returns and 
determining the actual Premium Tax Credit for applicable individuals and businesses. 
Beginning in Calendar Year 2014, State Exchanges and the Federal Exchange will 
transmit data to the IRS on a monthly basis. The data will identify all taxpayers and 
dependents covered by qualified health plans and will contain details on the Advanced 
Premium Tax Credit paid to insurers on behalf of the taxpayer for each month, as well 
as additional health insurance information. These data will be retained by the IRS for 
use during the tax filing season. 

TIGTA is currently conducting an audit of the IRS’s application development and 
testing for the Advanced Premium Tax Credit application and calculator and will finalize 
the report before the beginning of the October 2013 open enrollment period.^ 


’ TIGTA, Audit No. 201320312, Review of Systems Development Activities for the Premium Tax Credit 
Project Under the Affordable Care Act Program, report planned for September 2013. 
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TIGTA’s understanding of the flow of ACA tax information is summarized in 
Appendix 3. 

Security and Protection of Taxpayer Data 

The Federal tax data provided to the HHS and the Exchanges will be protected 
through the IRS’s Safeguard Review Program. The Internal Revenue Code authorizes 
the IRS to disclose Federal tax information to various Federal, State, and local entities. 
However, before agencies receive Federal tax information, they must submit a formal 
report called the Safeguard Procedures Report that describes how the agency will 
protect and safeguard the data. In addition, agencies are required to annually submit a 
Safeguards Activity Report to describe any changes to the Safeguard Program, advise 
on future actions, and certify that they are protecting the data. The Safeguard office 
also conducts on-site reviews of each agency that receives Federal tax Information. 

TIGTA is currently conducting an audit of the IRS’s Safeguard Program and will 
issue a report on its operations in Fiscal Year 2014.® TIGTA has concerns that the 
Safeguard Program may lack sufficient staffing or funding to adequately expand its 
operations to include the addition of the Federal and State Exchanges. We plan to 
assess the protection of Federal tax data provided by the Program in the future. 

Protection Against Frauduient ACA Tax Return Processing 

The IRS has also developed a plan for the prevention, detection, and resolution 
of fraud and abuse during ACA tax return processing. The plan, when fully developed 
and implemented, is designed to leverage third-party reporting from the Exchanges and 
new computer analytical capability built into the Return Review Program.® The plan 
calls for the development of the ACA Validation Service which will be used to identify 
improper ACA-related refunds. The ACA Validation Service will be designed to perform 
screening for improper refunds and will also identify fraudulent schemes that include 
multiple returns. The IRS plans to rely on the Electronic Fraud Detection System and/or 
the new Return Review Program to provide the systems to identify and prevent 
ACA-related refund fraud. 


®TIGTA, Audit No. 201320029, Review of the Internal Revenue Service's Office of Safeguards, report 
planned for February 2014. 

® The Return Review Program is the key automated component of the IRS's pre-refund initiative and will 
implement the IRS’s new business model for a coordinated criminal and civil tax noncompliance approach 
to prevent, detect, and resolve tax refund fraud. 
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The applications for processing electronic and paper tax returns will need to be 
modified before January 2015 to be able to use the new ACA Validation Service to 
determine if a taxpayer claiming the Premium Tax Credit also purchased insurance 
through the Exchanges or received an Advanced Premium Tax Credit in 2014, and if 
any math errors exist. 

TIGTA is currently performing a system development audit of the Return Review 
Program that will include the development and design of ACA fraud and abuse 
provisions.’® We have concerns that the Return Review Program may not be 
operational in sufficient time to identify ACA-related refund fraud and that the IRS’s 
existing fraud detection systems may not be capable of identifying ACA refund fraud or 
schemes prior to the issuance of tax return refunds. 

In addition, TIGTA plans to conduct several audits of ACA processing and 
operations for the 2014 and 2015 filing seasons. These will address the IRS’s 
processing of various tax returns and evaluate whether taxpayers are eligible for the 
ACA tax provisions claimed on tax returns. The need for the IRS’s systems to be fully 
operational before the next filing season begins is critical to Federal tax administration. 
The IRS will need to ensure that tax returns accurately claim the various applicable ACA 
provisions, and, above ail, that taxpayers are treated fairly. 

Interagency Testing of ACA Systems 

The HHS and the IRS have jointly developed an Interagency Test Plan for the 
2013 open enrollment period that documents the test design and management activities 
they have agreed upon. The Interagency Test Plan establishes how the systems 
supporting the open enrollment will be tested to ensure operational communication, 
functionality, and interoperability.” The HHS systems involved in this testing include 
the Federal Exchange, which provides interface capability for citizens to apply for health 
care coverage. In addition, the HHS Data Services Hub will provide 
telecommunications support to enable the various Federal agency systems to share 
data for ACA purposes. 

From the IRS perspective, the Plan includes the capabilities of the Income and 
Family Size Verification Project and the Advanced Premium Tax Credit application. The 


’“ TIGTA, Audit No. 201220011, Return Review Program Transition State 1 Systems Development 
Activities, report planned for September 2013. 

” The ability of two or more systems or components to exchange information and to use the information 
that has been exchanged. 
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HHS Data Services Hub is connected to the IRS through the Transactional Portal 
Environment. The IRS and the HHS plan to jointly capture and manage test results, 
including tracking and monitoring any reported issues until they are resolved. However, 
TIGTA is concerned that final integration testing for all of the various agency systems, 
communications, and the Federal and State Exchanges will be difficult to complete 
before the start of the enrollment process in October 2013. The lack of adequate 
testing could result in significant delays and errors in accepting and processing ACA 
applications for health insurance coverage. 

TIGTA plans to review the testing results and where possible wilt observe the 
testing and include our assessment in upcoming reports. We will also closely 
coordinate with the HHS' Office of Inspector General to ensure that all aspects of the 
systems are reviewed. TIGTA plans to conduct a comprehensive audit of the security 
over Health Insurance Exchange information maintained both by the IRS and the 
Exchanges where Federal tax data has been provided. TIGTA also plans to review the 
implementation of statutorily-mandated data protection of Federal tax data and will 
evaluate the adequacy of data security, disaster recovery, availability, reliability, 
operational readiness, and testing of new systems. 

TIGTA’s ACA Oversight Strategy 

Several key ACA provisions will become effective in Fiscal Year 2014, making 
Fiscal Year 2014 and Calendar Year 2015 a significant period for ACA oversight, in 
addition, many provisions that previously became effective will require continued 
oversight to ensure that appropriate corrective actions are taken by the IRS. Because 
of the extensive changes to numerous tax code provisions, our concerns related to the 
development and implementation of new ACA systems, and the extensive coordination 
required between all of the stakeholders to effectively administer the ACA, TIGTA has 
implemented a multi-year oversight strategy that includes audits, evaluations, and 
investigative resources to assess the IRS’s implementation of the ACA. This strategy 
includes coordination with other agencies, including the HHS Office of Inspector 
General. 

Chairman Lankford, Chairman Meehan, Ranking Member Speier, Ranking 
Member Clarke, and Members of the Subcommittees, thank you for the opportunity to 
share my views and observations. 
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Appendix 2 - Affordable Care Act Exchange Data Flows 
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Mr. Lankford. Mr. Werfel. 

STATEMENT OF THE HONORABLE DANIEL WERFEL 

Mr. Werfel. Chairman Lankford, Chairman Meehan, Ranking 
Member Speier and Clark and members of subcommittees, thank 
you for the opportunity to appear before you today to discuss the 
systems being developed to facilitate information sharing among 
the IRS, the Department of Health and Human Services and other 
Federal agencies as part of the Affordable Care Act. 

The IRS has been working to implementing a number of tax-re- 
lated provisions within the ACA. The most substantial of these pro- 
vides for premium assistance tax credits to help millions of Amer- 
ican families afford health insurance starting in 2014, when the 
new health insurance marketplace, also known as health insurance 
exchanges, will begin operating. 

To properly administer ACA provisions, such as the premium as- 
sistance tax credit, the IRS, HHS, and other Federal agencies will 
need to share individual’s personal and financial information. For 
example, the marketplace will need Federal taxpayer data to help 
verify individuals’ eligibility for the tax credits. Upon request, the 
IRS will provide income, family size, and filing status information 
from recent tax returns. 

Separately, the IRS will provide a support service to compute a 
maximum advanced premium credit based upon inputs from the 
marketplace. The ACA designates HHS as the conduit for informa- 
tion being shared with the marketplace. The taxpayer data sup- 
plied by the IRS will be transmitted over secure encrypted chan- 
nels through the HHS data hub, which was developed to facilitate 
these data transfers. Our ability to share data with HHS is being 
brought about through new systems and services that our informa- 
tion technology division has been developing. 

We are on target to have these systems ready when open enroll- 
ment in the marketplace starts on October 1 of this year. Last 
month, we completed systems development and also finished inter- 
agency testing with HHS and the Centers for Medicare and Med- 
icaid Services. Performance testing of these systems will continue 
through the summer. 

It is important to note that information sharing under the ACA 
will be done against the backdrop of very strong confidentiality pro- 
tections that have been long part of the tax laws. In general, sec- 
tion 6103 of the Internal Revenue Code prohibits the IRS from 
sharing tax return data with anyone outside the agency. Over the 
years, however. Congress has created a series of narrow exceptions 
to the restrictions in section 6103. 

For example, the IRS is permitted to disclose tax return informa- 
tion to other Federal agencies and to State tax authorities to facili- 
tate efficient tax administration. The ACA provides a specific ex- 
ception to section 6103 for information sharing activities that the 
IRS will perform under the statute. The IRS is already well posi- 
tioned to ensure the safety and security of the data being shared 
under the ACA, given the longstanding experience we have in over- 
seeing the transmission of data to Federal and State agencies. 

The IRS office of safeguards has the responsibility for monitoring 
the nearly 300 Federal and State agencies that currently are per- 
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mitted to receive tax return data to ensure they are complying with 
strict safeguarding requirements we impose on them. 

To prepare for data sharing under the ACA, the IRS has heen 
collaborating with HHS and other agencies on the processes and 
written agreements needed to protect personal information, includ- 
ing tax return data. Among our collaborative efforts, the IRS and 
HHS have entered into a computer matching agreement or CMA, 
which details the operations of the data exchanges and various dis- 
closure restrictions and other requirements. 

Just this week, the CMA was signed by both agencies and trans- 
mitted to the Treasury Data Integrity Board for approval. After ap- 
proval by Treasury and HHS, it will be transmitted to Congress for 
the required notice period and be effective when open enrollment 
begins on October 1. 

The IRS is subjecting the health insurance marketplace and 
State agencies seeking tax return data under the ACA to signifi- 
cant data protection requirements. Before one of these entities can 
obtain tax return information, it must submit a Safeguard Proce- 
dures Report, or SPR to the IRS for its approval. This report de- 
tails the steps that the entity has established or plans to take to 
protect the confidentiality of the tax records it will be handling. 

Taxpayer data will be withheld from entities that fail to establish 
adequate safeguards. The IRS will provide a list of entities with ap- 
proved SPRs to HHS by October 1. Going forward, we will provide 
ongoing oversight to ensure that all entities involved in data shar- 
ing continue to meet the safeguarding requirements. 

Chairman Lankford, Chairman Meehan, and Ranking Member 
Speier and Clarke, that concludes my statement. I would be happy 
to take your questions. 

[Prepared statement of Mr. Werfel follows:] 
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BEFORE THE 

HOUSE OVERSIGHT AND GOVERNMENT REFORM COMMITTEE 
SUBCOMMITTEE ON ENERGY POLICY, HEALTH CARE AND 
ENTITLEMENTS AND THE 
HOUSE HOMELAND SECURITY COMMITTEE 
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ON 

JULY 17, 2013 


Introduction 

Chairmen Lankford and Meehan, Ranking Members Speier and Clarke, and Members of 
the Subcommittees, thank you for the opportunity to appear before you today to discuss 
the systems being developed to facilitate information sharing among the IRS, the 
Department of Health and Human Services (HHS) and other federal agencies as part of 
the Affordable Care Act (ACA). 

Before turning to the details of the work we are doing to prepare for the sharing of 
information to occur under the ACA, let me first outline the steps we have taken to 
implement the tax provisions of the statute. Initially we focused on implementing tax law 
changes that were retroactively or immediately effective. Examples of such provisions 
include the Small Business Health Care Tax Credit and the expansion of the Adoption 
Credit. This work is largely complete. 

Our current focus is on putting structures and processes in place to plan for provisions 
with upcoming effective dates. Our most substantial implementation effort in this regard 
involves the delivery of premium tax credits that will help millions of American families 
afford health insurance starting in 2014, when the new Health Insurance Marketplace, 
also known as the Affordable Insurance Exchanges, will begin operating. HHS is the lead 
agency on defining the structure and operations of the Marketplace, and under the statute 
open enrollment for insurance purchased through the Marketplace will start October 1, 
2013, with coverage beginning as soon as January 1, 2014. 

Starting in 2014, individuals who do not have access to affordable employer-sponsored 
insurance or other minimum essential coverage may be eligible to receive advance 
premium tax credits, paid directly to the insurer, for private insurance that they purchase 
through the Marketplace. Treasury and the IRS have provided guidance on how these tax 
credits work and can help subsidize this coverage, and HHS has provided guidance on 
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how advance payments can be requested at the Marketplace. Under the ACA, the 
Marketplace requests tax return information from the IRS to determine eligibility for 
financial assistance such as premium tax credits. IRS staff have been working closely 
with HHS and the states on developing secure and efficient systems for the flow of this 
information. 

Taxpayers who qualify for advance payments of the credit will reconcile these payments 
on their 2014 tax returns filed in 2015. If the actual credit is larger than the sum of 
advance payments, the taxpayer will be entitled to additional credit. If the aqtual credit is 
smaller than the sum of the advance payments, the taxpayer will owe the difference, 
subject to certain repayment caps included in the ACA, as amended. 

Because the provisions mentioned above are substantial and require advance preparation, 
the IRS has established enterprise-wide governance and planning processes, coordinating 
efforts among our business operations, information technology function, legal counsel 
and our Office of Safeguards. These planning efforts have had the benefit of independent 
reviews by both the Government Accountability Office and the Treasury Inspector 
General for Tax Administration. 

Our budget requests in recent years reflect the need to invest in information technology 
(IT) systems to generally update our tax systems as well as administer the premium tax 
credit and other tax law provisions of the ACA. Of the funding requested in our FY 2012 
and FY 2013 budgets related to ACA tax law implementation, 82 percent and 92 percent, 
respectively, was in our Operations Support account, which funds our IT and operations 
investments; almost 70 percent of the 2014 budget proposal for ACA is requested to 
continue the necessary IT development as the ACA is rolled out. 

IRS Role in Information Sharing 

The proper operation of some components of the ACA requires the IRS, HHS and other 
federal agencies to share certain information about individuals. For example, the 
Marketplace will need federal taxpayer data to help verify individuals’ eligibility for 
premium tax credits. Upon request, the IRS will provide income, family size and filing 
status information from recent tax returns. Medicaid and the Children’s Health Insurance 
Program may also choose to request the tax data for their eligibility determinations. 
Separately, the IRS will provide a support service to compute the maximum advance 
prerhium credit based on inputs from the Marketplace. 

The ACA designates HHS as the conduit for information being shared with the 
Marketplace. The taxpayer data supplied by the IRS will be transmitted over secure, 
encrypted channels to the HHS Federal Data Services Hub, which was developed to 
facilitate these data transfers. The Federal Data Services Hub will not be storing taxpayer 
information, but merely routing that information to authorized users. 

Our ability to share data with HHS is being brought about through new systems and 
services that our IT division has been developing. For example, the IT division has 
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created a Coverage Data Repository, which pre-positions tax return data to be used to 
respond to Marketplace data requests, via the HHS Data Hub. We are also creating a 
Transactional Portal Environment, which serves as the secure gateway for data passing to 
and from the IRS. 

We are on target to have our new systems ready for deployment when open enrollment in 
the Marketplace begins on October 1 . Our IT project teams completed systems 
development in June, and they completed interagency testing with HHS and the Center 
for Medicare and Medicaid Services (CMS) that same month. Performance testing of 
these systems will continue through the summer. 

It is important to note that information sharing under the ACA will be done against the 
backdrop of very strong confidentiality protections that have long been a part of the tax 
laws. In general, section 6103 of the Internal Revenue Code prohibits the IRS from 
sharing tax return data with anyone outside the agency. 

Over the years, however, Congress has created a series of narrow exceptions to the 
restrictions in section 6103. Those exceptions allow the IRS to share taxpayer 
information for specific purposes and with proper safeguards. For example, the IRS is 
permitted to disclose tax return information to other Federal agencies and state tax 
authorities to facilitate efficient tax administration. The ACA provides a specific 
exception to section 6103 for information sharing activities that the IRS will perform 
under the statute. 

Let me turn now to the steps that the IRS is taking to ensure the safety and security of the 
data being shared under the ACA. The IRS is already well positioned to provide the 
needed safeguards, given the longstanding experience it has in overseeing the 
transmission of data to Federal and state agencies under previously enacted exceptions to 
section 6103. Agencies receiving return information from the IRS must meet significant 
safeguarding requirements, including strict recordkeeping and proper handling, storage 
and disposal of tax records. 

The IRS Office of Safeguards has the responsibili^ for monitoring the nearly 300 
Federal and state agencies that currently are permitted to receive tax return data, to ensure 
they are complying with all requirements. IRS Publication 1075, Tax Information 
Security Guidelines for Federal, States and Local Agencies, provides detailed 
background and procedures for data recipients. 

In regard to upcoming data sharing under the ACA, the IRS has been collaborating with 
the other Federal and state agencies involved in ACA implementation on the various 
processes and written agreements that are necessary for safeguarding personal 
information, including tax return data. We meet on a regular basis with every state and 
Federal government entity that might receive taxpayer data, to provide them with 
outreach and education, one-on-one consultations, and technical assistance on IRS data 
security requirements. 
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Among our collaborative efforts, the IRS and HHS have entered into a Computer 
Matching Agreement to meet the requirements of the Computer Matching and Privacy 
Protection Act. This agreement details the operations of the data exchange, as well as 
various disclosure restrictions and other requirements. The IRS and CMS have entered 
into an Information Exchange Agreement covering the use of HHS systems by the 
Marketplaces to transmit monthly and annual information reports to the IRS, and also 
covering use of the Premium Tax Credit Computation Engine by the Marketplaces. The 
IRS and CMS also have an Interconnection Security Agreement covering the security of 
the connection between the agencies. Because HHS is the conduit for the tax return 
information, it will in turn enter into similar agreements with all entities receiving the 
return information. 

The IRS holds the Marketplaces and state agencies seeking tax return data under the 
ACA to significant data protection requirements. Before one of these entities can obtain 
tax return information, it must submit a Safeguard Procedures Report (SPR) to the IRS, 
and the IRS must approve it. This report details the steps that the entity has established or 
plans to take to protect the confidentiality of the tax records it will be handling. Taxpayer 
data will be withheld from entities that fail to establish adequate safeguards. Going 
forward, we will work with HHS and all other entities involved to ensure adequate data 
safeguards are in place, and we will provide ongoing oversight to ensure that all entities 
involved in data sharing continue to meet the safeguarding requirements. 

While the focus for October 2013 is on the key information being shared under the ACA 
flowing out of the IRS, the agency will also be receiving information, beginning in 2014, 
to enable it to implement certain ACA provisions. It is important to note that the IRS 
already routinely receives third-party information that helps it verify the accuracy of tax 
returns, and we have longstanding policies in place related to the safety and privacy of 
this information. We will use this experience to guide us in making sure that any ACA- 
related taxpayer information we receive is properly safeguarded. 

The Marketplaces will, for example, be sending to the IRS enrollment information for 
individuals buying insurance through the Marketplace. This information will include the 
fact and cost of coverage, and information on any advance payments of the premium tax 
credit made during the coverage year. The IRS will reconcile this information with what 
the individuals report on their tax returns so that the IRS can verify whether they received 
the proper amount of credit, are owed more, or must repay any excess advance payments. 
This information will help the IRS speed processing of returns and spot fraudulent claims 
of the credit. 

Conclusion 

Chairmen Lankford and Meehan, Ranking Members Speier and Clarke, thank you again 
for the opportunity to testify on the steps we are taking to facilitate information sharing 
among Federal agencies under the ACA. We are taking all necessary steps to ensure that 
tax return information that flows to the Marketplace and state agencies carrying out the 
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provisions of the ACA is secure and properly safeguarded. This concludes my testimony. 
I would be happy to take your questions. 
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Mr. Lankford. Ms. Tavenner. 

STATEMENT OF THE HONORABLE MARILYN B. TAVENNER 

Ms. Tavenner. Good morning, Chairman Lankford 

Mr. Lankford. We need to get you button on there so we can 
all hear you. 

Ms. Tavenner. Thank you. Good morning. I would like to thank 
you for the opportunity to discuss the Center for Medicare and 
Medicaid Service’s progress in implementing the IT systems in sup- 
port of the new health insurance marketplace. 

Since the passage of the Affordable Care Act, CMS has been hard 
at work designing, building, and testing secure systems that ensure 
Americans are able to enroll in affordable health coverage. I want 
to assure you that October 1, 2013, the health insurance market- 
place will be open for business. Consumers will be able to log onto 
healthcare.gov, fill out an application and find out what coverage 
and benefits they qualify for. 

I also want to assure you and all Americans that when they fill 
out their marketplace application, they can trust that the informa- 
tion they are providing is protected through the highest privacy 
standards, and the technology underlying this application process 
has been tested and is secure. 

I want to quickly walk you through what we’re building, how it 
works and what data we are storing. I know there has been some 
confusion about the marketplace, its IT system and how data will 
be used. I want to make two points clear. 

First, while the marketplace application asks for some personal 
information, such as name, address. Social Security number, and 
date of birth, the marketplace application never asks for personal 
health information and the marketplace IT systems will never ac- 
cess or store personal health information beyond that which is rou- 
tinely used when applying for Medicaid. 

Second, CMS prioritizes the privacy and security of applicant’s 
data. CMS designed the marketplace IT system in a way to mini- 
mize all possible security vulnerability, and we especially focused 
on storing the minimum amount of personal data possible. With 
that clear, let’s move to the first question people often ask. What 
is it that we are building? 

The Affordable Care Act directs States to establish State-based 
marketplaces by January 1 of 2014. In States electing not to estab- 
lish such a marketplace, the Affordable Care Act requires that the 
Federal Government establish and operate a marketplace in the 
State which is frequently referred to as the Federally Facilitated 
Marketplace. This marketplace will provide consumers access to 
healthcare coverage through private qualified health plans, and 
consumers seeking financial assistance may qualify for insurance 
affordability programs through the marketplace such as tax credits. 

In order to enroll in an insurance affordability program through 
the marketplace, individuals must complete an application and 
meet certain eligibility requirements. To fulfill these functions. 
Federally Facilitated and State-based marketplaces are developing 
eligibility, redetermination and appeals IT systems. These IT sys- 
tems are similar to what private issuers. Medicare Advantage 
issuers, and State Medicaid agencies currently use to carry out the 
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same functions. Because these IT systems that perform the basic 
functions of the marketplace, CMS is developing a tool, which is 
known as the Federal Data Services Hub, which provides the elec- 
tronic connection between the eligibility systems of the market- 
place to already existing secure Federal and State databases to 
verify that information is correct, and that consumer provides in 
the marketplace application. 

It is important to understand that the hub is not a database. It 
does not retain or store information. It is a routing tool that can 
validate applicant information from various trusted government 
databases through secure networks. It allows the marketplace, 
Medicaid and CHIP systems to query government databases used 
today. The hub will only query the databases necessary to deter- 
mine eligibility for specific applicants. The hub increases by effi- 
ciency and security by eliminating the need for each marketplace, 
each Medicaid agency and each CHIP agency to set up separate 
data connections to each database. We know that vulnerability in- 
creases when the number of connections to a database increase. 
That’s why we created the hub. The hub provides one highly se- 
cured connection to trusted Federal and State partners’ databases 
used today instead of requiring each agency to set up what would 
have amounted to hundreds of different connections. 

We have completed development in the majority of the testing of 
the hub services. All testing for the hub will be completed by the 
end of August. And with that. I’ll conclude and be happy to answer 
any questions. 

Mr. Lankford. Thank you. 

[Prepared statement of Ms. Tavenner follows:] 
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U. S. House Committee on Oversight and Government Reform, 
Subcommittee on Energy Policy, Health Care 
U.S. House Committee on Homeland Security 
Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies 
“Evaluating Privacy, Security, and. Fraud Concerns with 
Obamacare’s Information Sharing Apparatus” 

July 17,2013 

Good morning. Chairmen Lankford and Meehan, Ranking Members Speier and Clarke, and 
members of the Subcommittees. Thank you for the opportunity to discuss the Centers for 
Medicare & Medicaid Services’ (CMS) progress in implementing information technology 
systems in support of the new Health Insurance Marketplaces. Since the passage of the 
Affordable Care Act, CMS has been hard at work to design, build, and test secure systems that 
ensure Americans are able to enroll in affordable health care coverage. Given this important 
work, I appreciate the interest these Committees and the Congress have shown in our progress in 
completing and managing these systems. I want to assure you that I am committed to applying 
all the appropriate laws, regulations, and business agreements to protect the security and privacy 
of the consumers participating in the Marketplaces. CMS brings to this task experience and 
success in protecting the security and privacy in programs even larger than the Marketplaces 
such as Medicare. 

Overview of the Marketplace Information Technology (IT) Systems 
The Affordable Care Act directs states to establish State-based Marketplaces by January 1, 2014. 
In states electing not to establish and operate such a Marketplace, the Affordable Care Act 
requires the Federal government to establish and operate a Marketplace in the state, referred to as 
a Federally-facilitated Marketplace. The Marketplaces will provide consumers access to health 
care coverage through private, qualified health plans, and consumers seeking financial assistance 
may qualify for insurance affordability programs made available through the Marketplace. 

The insurance affordability programs include the advance payment of the premium tax credits, 
cost-sharing reductions, Medicaid, and the Children's Health Insurance Program (CHIP). The 
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advance payment of the premium tax credit may be applied automatically to the purchase of a 
qualified health plan through the Marketplace, reducing upfront the premiums paid by 
consumers. Cost-sharing reductions may also lower the amount a consumer has to pay out-of- 
pocket for deductibles, coinsurance, and copayments for a qualified health plan purchased 
through the Marketplace. In order to enroll in an insurance affordability program offered 
through a Marketplace, individuals must complete an application' and meet certain eligibility 
requirements.^ Before we get further into this discussion, it is important to note that while the 
Marketplace application asks for personal information such as date of birth, name, or address, the 
Marketplace application never asks for personal health information arid the Marketplace IT 
systems will never access or store personal health information beyond what is normally asked for 
in Medicaid eligibility applications. 

Eligibility, Redetermination, and Appeals Marketplace IT Systems 
To fulfill the functions specified in the Affordable Care Act, Federally-facilitated and State- 
based Marketplaces are developing eligibility, redetermination, and appeals systems. These 
systems are similar to what private issuers. Medicare Advantage issuers, and State Medicaid 
agencies currently use to determine eligibility, enroll applicants into health coverage, process 
appeals, and perform customer service, as well as prevent fraud, waste, and abuse. 

These systems will: 

• Determine a consumer’s eligibility to enroll in a qualified health plan through a 
Marketplace and for insurance affordability programs; 

• Redetermine consumer eligibility status during the year; 

• Allow individuals to appeal an eligibility determination; 

• Enroll consumers in and provide payment transactions for insurance affordability 
programs; and 

• Provide oversight to ensure issuers comply with new Affordable Care Act consumer 
protections. 


' The individual application short form is available at this website: htt p://www.cms.gov/CClIO/Resources/Forms- 
ReDQrt.s-and-Other-Resources/Downloads/marketDlace-aDD-short-forni.pdf 
^ Pursuant to 45 C.F.R. 155.305. 
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Federal Data Services Hub 

CMS has developed a tool, known as the Federal data services hub (the Hub), that provides an 
electronic connection between the eligibility systems of the Marketplaces to already existing, 
secure Federal and state databases to verify the information a consumer provides in their 
Marketplace application. Data transmitted through the Hub will help state agencies determine 
applicants’ eligibility to enroll in Medicaid or CHIP, and help the Federally-facilitated and State- 
based Marketplace eligibility systems determine an applicant’s eligibility to seek health 
insurance coverage through a Marketplace, and their eligibility for advance premium tax credits 
and cost-sharing reductions. 

It is important to understand that the Hub is not a database; it does not retain or store 
information. It is a routing tool that can validate applicant information from various trusted 
government databases through secure networks. It allows the Marketplace, Medicaid, and CHIP 
systems to query the government databases used today in the eligibility processes for many state 
and Federal programs. The Hub would query only the databases necessary to determine 
eligibility for specific applicants. The Hub increases efficiency and security by eliminating the 
need for each Marketplace, Medicaid agency, and CHIP agency to set up separate data 
connections to each database. 

CMS has already completed development and the majority of the testing of the Hub services 
required to support open enrollment on October 1, 2013. CMS and the Internal Revenue Service 
(IRS) are currently testing the integration of the Hub with their IT systems, and this testing was 
95 percent complete as of the end of June. CMS started testing the Hub with the other Federal 
partners, including the Social Security Administration (SSA) and the Department of Homeland 
Security (DHS), earlier this summer, and that testing will be completed by the end of 
August. CMS is currently testing the Hub with 40 states, and during the remainder of July and 
August, we will finish testing the Hub with the remaining states and territories. 

How These Systems Verify a Marketplace Application 

All State-based and Federally-facilitated Marketplaces will determine an applicant’s eligibility 
for enrollment in a Qualified Health Plan through the Marketplace, and if the applicant requests. 
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to determine eligibility for an insurance affordability program. Consumers will be able to access 
an application through their Marketplace website, by phone, in person or by mailing a paper 
form. Regardless of the method a consumer uses to apply for coverage, when consumers submit 
their Marketplace applications, the following steps occur: 

1 . Social Security Numbers and U.S. citizenship or immigration status will be verified 
through secure connections using the Hub with the already existing databases of the SSA 
and the DHS. The Hub will not store or retain the data transmitted in this process. 

2. For consumers seeking financial assistance through an insurance affordability program, 
IRS, using the Hub, will provide information to verify the income of the consumer. If a 
consumer does not want to apply for financial assistance, then the consumer will not be 
asked to provide income information. Again, the Hub will not store or retain the data 
used in this process. 

3. If the consumer appears to be eligible for an insurance affordability program, then the 
Marketplace eligibility system validates the consumer’s application by using the Hub to 
check if the applicant is enrolled in certain health care programs provided by the 
Department of Veterans Affairs (VA) or eligible for coverage through other programs 
provided by the Department of Defense (DOD), Office of Personnel Management 
(0PM), Peace Corps, Medicare, or state Medicaid agencies. Alternative processes have 
been established through rulemaking for eligibility factors not verifiable through the Hub. 

What Information is Stored? 

As clarified above, the Hub is a tool, not a database, and will therefore not store any information, 
since it only routes requests from Marketplace eligibility systems to already-existing Federal and 
state databases. The Federally-facilitated and State-based eligibility, redetermination, and 
appeals systems do store certain eligibility and enrollment records, including Federal appeals 
records. Federal consumer services records, and issuer financial information in order to fulfill 
their specific functions. These data will only be used to conduct these functions.^ Access to data 
in the Federally-facilitated system will be limited to authorized CMS personnel through 

^ The system of records for the Federally-facilitated Marketplace IT system is more thoroughly described in the 
System of Records Notice (SORN) available at; httD://www.eDO.gov/fdsvs/pke/FR-2013-02-06/html/20]3- 
02666.htm . 
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password security, encryptions, firewalls, and secured operating systems. Personnel having 
access to the system have been trained in the Privacy Act and information security requirements. 
This limited data storage is similar to what private issuers. Medicare, and Medicaid agencies 
currently use to determine eligibility, enroll applicants into health coverage, process appeals, and 
perform customer service, as well as prevent fraud, waste, and abuse. 

Safeguarding the Marketplace IT Systems 

The privacy and security of consumer data is a top priority for CMS and our Federal, state, and 
private partners. We will use appropriate policies, procedures, standards and implementation 
specifications to ensure the privacy and security of consumer data in accordance with applicable 
law. 

Implementing Privacy Controls for the Marketplace IT Systems 

The Congress acknowledged the importance of protecting personal information through the 
Privacy Act of 1974, which establishes requirements that govern the collection, use, and 
disclosure of information about individuals that is maintained by a Federal executive agency in a 
“system of records.” Since then, the Congress has passed amendments to the Privacy Act and 
additional legislation to assure Americans that information collected, created, used, and disclosed 
by Federal agencies is appropriately safeguarded. These additional protections include the 
Computer Matching Act, which amended the Privacy Act, and the e-Government Act of 2002. 

IT projects undertaken by Federal agencies and their contractors in support of the Affordable 
Care Act will comply with these and all other applicable Federal laws, so that the American 
public is assured that their personal information is protected. 

Additionally, certain classes of data may be subject to additional restrictions or protection on 
data use or transmission. For example, information systems containing tax return information 
must also comply with the taxpayer privacy and safeguards requirements of Section 6103 of the 
Internal Revenue Code. 


In order to establish controls and checkpoints within the Marketplace FT systems, CMS 
established a series of agreements, business processes, and protocols to ensure privacy controls 
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have been met. Because the databases connected to the Marketplace eligibility systems by the 
Hub are secure and closed government databases that already exist and comply with Federal 
privacy standards, most of the work of implementing privacy controls is conducted through 
business agreements between CMS and its Federal and state partners to assure data is being 
handled appropriately by all parties before data is exchanged through the Hub. To fulfill the 
Computer Matching Act requirements, CMS is establishing Computer Matching Agreements 
between CMS and each Federal and state partner. These Computer Matching Agreements 
describe how each Federal and state partner will exchange information, using the Hub,' in a way 
that ensures the privacy, integrity, and verification of data disclosed during this exchange. CMS 
and our Federal partners have signed additional agreements about the use of data and information 
exchanges, as applicable. CMS began formalizing these processes with our partners in July 
2011, and has refined and updated them as the Marketplace IT work has progressed. 

To ensure these agreements are met, CMS conducts Privacy Impact Assessments. Before State- 
based Marketplaces are able to use the Hub, CMS conducts a Privacy Impact Assessment to 
ensure that the State-based Marketplace has met all federal privacy requirements. CMS is 
currently reviewing the State-based Marketplaces’ Privacy Impact Assessments. Before the Hub 
is used to route information from Federal databases to Marketplace eligibility systems, CMS 
completes Federal Privacy Impact Assessments to ensure this information exchange meets the 
agreed-upon privacy requirements. 

Implementing Security Controls for the Marketplace IT Systems 
The Congress established security standards for Federal agencies through the Federal 
Information Security Management Act of 2002 (FISMA). FISMA requires each Federal 
agency to develop, document, and implement an agency-wide program to secure the information 
and information systems that support the agency’s operations and assets, including those 
provided or managed by another agency, contractor, or other source. To implement FISMA, the 
National Institute of Standards and Technology (NIST) has published a series of documents'* 
that provide security guidance to Federal Chief Information Security Officers. These 


“ NIST’s Special Publication 800-53: http://nvlDubs.nist.gOv/nistDub.s/SpecialPublications/NIST.SP.800-53r4.Ddf 
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publications provide security controls for Federal information systems derived from legislation, 
Executive Orders, policies, directives, regulations, standards, and business needs to protect 
organizations, individuals, and the nation from a diverse set of threats including hostile cyber- 
attacks, natural disasters, structural failures, and human errors (both intentional and 
unintentional). Using these materials, CMS outlined privacy and security principles that every 
Marketplace will use to develop privacy and security standards for any entity that collects or has 
access to Marketplace-related personally identifiable information.^ 

CMS will ensure that the IT used for the Marketplaces comply with applicable Federal laws, 
NIST controls, and security agreements through a stringent monitoring and evaluation system. 
CMS has a robust security monitoring system that reviews all security events, tools, 
requirements, and network device logs to identify, assess, and manage vulnerabilities and threats. 
For example, CMS publishes a monthly Continuous Monitoring Report to describe emerging 
concerns from a global and local perspective, along with recommendations or mitigation 
strategies. In addition, CMS conducts real-time monitoring to ensure that security tools are 
maintained through updates and patches. If changes must be made to Marketplace IT code, CMS 
uses a “structured change management process,” which identifies, evaluates, tests, and models 
codes changes and is overseen and approved by a business and technical governance board, as 
required by NIST standards. When the Federally-facilitated Marketplace systems are operational 
on October 1, 2013, they will be part of the overall established CMS operational security. CMS 
also benefits from independent reviews by external entities to verify security policy and 
readiness. 

Conclusion 

CMS is committed to creating safe, secure, and resilient Marketplace IT systems and protecting 
personal privacy and confidentiality in collaboration with our partners while expanding access to 
health insurance coverage to Americans, Collectively, the tools, methods, policies procedures, 
and laws I have described provide a robust security framework, which helps to safeguard the 
Marketplace systems and data. I am confident that through our hard work and the use of industry 


’ Please see the guidance listed under “Minimum Acceptable Risk Standards” for more information: 
http:/Avww.cms.gov/cciio/Resources/Reeulalions-and-Guidance/index.html#AtTordable Insurance Exchanges 
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best practices, the Marketplace IT systems will help more Americans securely enroll in and 
afford the health care coverage that fits their needs. Thank you for your attention to this 
important issue. I would be happy to answer your questions now, and will be able to provide 
updates about this important topic as we steadily progress towards the beginning of open 
enrollment on October 1, 2013. 
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Mr. Lankford. Mr. Dicken. 

STATEMENT OF JOHN DICKEN 

Mr. Dicken. Good morning, Mr. Chairman, ranking members 
and members of subcommittees, I am pleased to be here today to 
discuss issues with data systems that will be a critical component 
of the new health insurance exchanges. As you have heard this 
morning, starting in October, health insurance exchange in each 
State will provide new marketplaces where eligible individuals can 
compare and select health plans. 

To support the exchange’s efforts to determine applicant’s eligi- 
bility to enroll, CMS is building a tool called the Federal Data 
Services Hub. This data hub is intended to provide one electronic 
connection to Federal sources for near realtime date access to data, 
as well as to provide access to State and other data sources needed 
to verify consumers’ application information. Several million Amer- 
icans are expected to enroll in qualified health plans offered 
through the exchanges, once coverage begins in 2014. 

My comments today highlight key findings from a report that 
GAO issued last month on the status of CMS’ efforts to establish 
Federally Facilitated Exchanges in 34 States and to establish the 
data hub to support exchanges in all States. These findings are 
based in large part on our review of planning documents that CMS 
used to track Federal and State activities, including the develop- 
ment and implementation of the data hub, as well as interviews 
with CMS officials. 

In brief, CMS has completed many activities necessary to estab- 
lish Federally Facilitated Exchanges by October 1st, although 
many activities remain to be completed and some were behind 
schedule. As examples of progress made, CMS has issued numer- 
ous regulations and guidance and taken steps to establish proc- 
esses and data systems necessary to operate the exchanges. But 
the exchange’s ability to effectively carry out eligibility determina- 
tion and enrollment activities on October 1st will be dependent on 
CMS’ successful implementation of the data hub. CMS is expected 
to complete development and testing of the information secure 
technology systems necessary for the data hub by October 1st, as 
Administrator Tavenner just indicated. CMS began both internal 
and external testing for the data hub in October of last year as 
planned. 

According to program officials and our review of project sched- 
ules, CMS established milestones that aimed to complete the devel- 
opment of required data hub functionality by this month and for 
full implementation and operational readiness by September. Addi- 
tionally, CMS has begun to establish the required technical secu- 
rity and data-sharing agreements with federal partner agencies 
and States. 

While CMS data does, thus far, met project schedules and mile- 
stones for establishing agreements and developing the data hub, at 
the time of our report, several critical tasks remained to be com- 
pleted before the October 1st implementation. These included final- 
izing service level agreements between CMS, the States and Fed- 
eral partner agencies in completing external testing with all Fed- 
eral partner agencies in all States. 
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In conclusion, Federally Facilitated Exchanges in the federal 
data services hub are central to the goals under the Patient Protec- 
tion and Affordable Care Act of having health insurance exchanges 
operating in each State by 2014 and of providing a single point of 
access to the health insurance market for individuals. Their devel- 
opment has been a complex undertaking involving the coordinated 
actions of multiple Federal, State and private stakeholders. It has 
also required the creation of an information system to support 
connectivity and near realtime data sharing between exchanges 
and multiple Federal and State agencies. 

Much progress has been made; nevertheless, much remains to be 
accomplished within a relatively short amount of time. CMS’ time 
lines provide a roadmap to completion of the required activities by 
the start of enrollment on October 1st. However, the large number 
of activities remaining to performed, some close to the start of en- 
rollment, suggests a potential for challenges going forward. And 
while the interim deadlines missed thus far may not affect imple- 
mentation, additional missed deadlines closer to the start of enroll- 
ment could do so. 

At the time of our report, CMS had recently completed risk as- 
sessments and plans for mitigating identified risks associated with 
the data hub and was also working on strategies in each State to 
address State preparedness contingencies. Whether this contin- 
gency planning will assure the timely and smooth implementation 
of exchanges by October 2013 cannot yet be determined. 

Mr. Chairman and ranking minority members, this concludes my 
statement, and I’ll be pleased to answer any questions that you or 
other members of the subcommittee may have. 

Mr. Lankford. Thank you. 

[Prepared statement of Mr. Dicken follows:] 
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Chairmen Meehan and Lankford, Ranking Members Clarke and Speier, 
and Members of the Subcommittees; 

I am pleased to be here today to discuss the efforts of the Centers for 
Medicare & Medicaid Services (CMS) to establish federally facilitated 
exchanges (FFE) and the federal data services hub (data hub). The 
Patient Protection and Affordable Care Act (PPACA) required the 
establishment In all states of exchanges,’ which are marketplaces where 
eligible Individuals can compare and select health insurance plans. CMS 
must oversee the establishment of exchanges, including approving states 
to operate a state-based exchange or establishing and operating one 
itself in states that will not do so, referred to as an FFE. In establishing 
the framework within which an FFE in a particular state will be established 
and operated. CMS has provided states with the option to assist with 
certain FFE functions. 

All exchanges, whether state-based or FFE, will be required to perform 
certain activities, many of which fall into the core functions of eligibility 
and enrollment.^ plan management,® and consumer assistance.** To 
support the exchanges’ efforts to determine exchange applicants’ 
eligibility to enroll, CMS is building a tool called the data hub. According to 
CMS officials, the data hub is to provide one electronic connection to 
federal sources for near real-time access to data,® as welt as provide 


’in this statement, the term “state" includes the District of Columbia. 

^The eligibility and enrollment Unction includes the requirement that the exchange 
determine an individuars eligibility for enrollment into a health insurance plan and for 
income-based financial subsidies. In order to enroll in health insurance coverage offered 
through an exchange, individuals must complete an application and meet certain eligibility 
requirements defined by PPACA; for example, they must be U.S. citizens or legal 
immigrants. 

®The plan management function includes the development and implementation of 
processes and standards by the exchange to certify qualified health plans (QHP) for 
inclusion in the exchange, or to decertify them, as needed. 

**The consumer assistance function includes the requirement for each exdiange to 
provide a call center, website, and in-person assistance to support consumers in filing an 
application, obtaining an eligibility determination, comparing coverage options, and 
enrolling in a QHP, Other consumer assistance function activities include outreach and 
awareness activities. 

®Near real-twne refers to a system capability to deliver data in response to transactions 
one at a time, as they occur. 
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access to state and other data sources needed to verify consumer 
exchange application information. Enrollment in the exchanges begins on 
October 1 , 2013, with coverage effective January 1 , 2014. 

This statement highlights key findings from our June 2013 report that 
describes the status of CMS efforts to establish FFEs and the data hub.® 
In that report, we described (1) the federal government’s role in 
establishing FFEs for operation in 2014 and state participation In that 
effort; (2) the status of federal and state actions taken and planned for 
FFEs and the data hub; and (3) CMS spending to support establishment 
of FFEs and the data hub. 

For that report, we reviewed regulations and guidance issued by CMS in 
preparation for establishing the FFEs, and documents Indicating the 
activities that the federal government and states are expected to carry out 
for these exchanges. We also reviewed planning documents CMS used 
to track the implementation of federal and state activities, including 
documents describing the development and implementation of the data 
hub. We interviewed CMS officials responsible for establishment of the 
exchanges. We relied largely on documentation provided by CMS — 
including information CMS developed based on its contacts with the 
states — regarding the status of the exchanges and did not interview state 
officials or collect information directly from states. We also reviewed data 
received from CMS on funding obligated for contracts and interagency 
agreements from fiscal year 2010 through March 31 , 2013, to assist in the 
development and operation of the FFEs and the data hub and carry out 
certain other exchange-related activities. Our work was performed from 
February 2013 through June 2013 in accordance with generally accepted 
government auditing standards. Those standards require that we plan 
and perform the audit to obtain sufficient, appropriate evidence to provide 
a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objectives. 

In brief, our work found that CMS will operate a health insurance 
exchange in the 34 states that will not operate a state-based exchange 
for 2014. While CMS will retain full authority over each of these 34 FFEs. 


®GAO. Patient fVctecf/on and Afhrdable Care Act: Status of CMS Efforts to Establish 
Federally Pacilitated Health Insurartce Exchanges, GAO-1 3-601 (Washington, D.C,: 
June 19. 2013). 
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it planned to allow 15 of these states to assist it in carrying out certain 
FFE functions.'' However, the activities that CMS plans to carry out in 
these 15 exchanges, as well as in the 17 state-based exchanges, have 
evolved and may continue to change. For example, CMS approved 
states' exchange arrangements on the condition that states ultimately 
complete activities necessary for exchange implementation. Agency 
officials indicated that they were working with each state to develop 
mitigation strategies to ensure that all applicable exchange functions are 
operating in each state on October 1, 2013. CMS indicated that it would 
carry out more exchange functions if any state did not adequately 
progress towards implementation of all required activities. 

CMS has completed many activities necessary to establish FFEs by 
October 1, 2013, although many remained to be completed and some 
were behind schedule. CMS issued numerous regulations and guidance 
and took steps to establish processes and data systems necessary to 
operate the exchanges. The activities remaining crossed the core 
exchange functional areas of eligibility and enrollment, plan management, 
and consumer assistance. For eligibility and enrollment, CMS expected to 
complete development and testing of the necessary information 
technology systems by October 1, 2013. To support consumer-eligibility 
determinations, CMS is developing a data hub that will provide electronic, 
near real-time access to federal data, as well as provide access to state 
and third-party data sources needed to verify consumer-eligibility 
information. Effective use of the FFEs’ eligibility and enrollment systems 
is dependent upon CMS's ability to provide the data needed to carry out 
eligibility determination and enrollment activities through the 
implementation of the data hub. CMS began conducting both internal and 
external testing for the data hub in October 2012, as planned. According 
to program officials, CMS established milestones for completing the 
development of required data hub functionality by July 2013, and for full 
implementation and operational readiness by September 2013. Project 
schedules reflect the agency's plans to provide users access to the data 
hub for near real-time data verification services by October 1, 2013. In our 
June 2013 report, we noted that agency officials stated that ongoing 
development and testing activities were expected to be completed to 
meet the October 1, 2013 milestone. Additionally, CMS has begun to 


^Specifically, CMS indicated that a state in which an FFE will operate can choose to assist 
with certain FFE functions, including the plan management function, consumer assistance 
function, or both. 
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establish technical, security, and data sharing agreements with federal 
partner agencies and states, as required by department-level system 
development processes. While CMS stated that the agency had thus far 
met its project schedules and milestones for establishing agreements and 
developing the data hub, several critical tasks remained to be completed 
before the October 1, 2013, implementation milestone. According to CMS 
officials and the agency’s testing timeline: 

. Service Level Agreements (SLA) between CMS and the states, which 
define characteristics of the system once it is operational, such as 
transaction response time and days and hours of availability, were 
planned to be completed in July 2013; 

• SLAs between CMS and its federal partner agencies that provide 
verification data were expected to be completed in July 2013; and 

• completion of external testing with all federal partner agencies and all 
states was to be completed by the beginning of September 201 3. 

For plan management, CMS must review and certify the qualified health 
plans (QHP) that will be offered in the FFEs. Though the system used to 
submit applications for QHP certification was operational during the 
anticipated time frame, several key tasks regarding plan management, 
including certification of QHPs and inclusion of QHP information on the 
exchange websites, remained to be completed. In the case of consumer 
assistance, CMS had yet to complete many activities and some initial 
steps were behind. For example, funding awards for Navigators — a key 
consumer assistance program — had been delayed by about 2 months, 
which delayed training and other activities. CMS is also depending on the 
1 5 states that will assist it in carrying out certain FFE functions to 
undertake activities to implement those functions, and CMS data show 
that many activities in these states remained to be completed and some 
were behind schedule. For example, two states had delayed the date by 
which they planned to select individuals who would provide In-person 
consumer assistance to those seeking to enroll in a QHP. 
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CMS data indicated that the agency spent almost $394 million from fiscal 
year 2010 through March 31, 2013 through contracts® to complete 
activities to establish the FFEs and the data hub and carry out certain 
other exchange-related activities.® CMS officials said that these totals did 
not include CMS salaries and other administrative costs, but rather 
reflected the amounts obligated for contract activities. Ten contractors 
accounted for $303.4 million (77 percent of total obligations) for activities 
to support establishment of FFEs and the data hub and to carry out 
certain other exchange-related activities. Specifically, their contracts were 
for projects related to information technology, the healthcare.gov website, 
call center, and technical assistance tor the FFEs. 

In conclusion, FFEs along with the data hub are central to the goal under 
PPACA of having health insurance exchanges operating in each state by 
2014, and of providing a single point of access to the health insurance 
market for individuals. Their development has been a complex 
undertaking, involving the coordinated actions of multiple federal, state, 
and private stakeholders, and the creation of an information system to 
support connectivity and near real-time data sharing between health 
insurance exchanges and multiple federal and state agencies. Much 
progress has been made in establishing the regulatory framework and 
guidance required for this undertaking, and CMS has been taking steps to 
implement key activities of the FFEs, and developing, testing, and 
implementing the data hub. Nevertheiess, much remains to be 
accomplished within a reiatively short amount of time. CMS's timelines 
and targeted compietion dates provide a roadmap to completion of the 
required activities by the start of enroilment on October 1 , 201 3. However, 
certain factors, such as the still-unknown and evolving scope of the 


®We use the term “contract" to include contracts with private entities to carry out activities 
to establish the FFEs and the data hub, as well as certain other exchange-related 
activities, task orders for such activities under contracts with private entities that may 
encompass a broader range of activities, and interagency agreements for such activities. 
References to CMS "spending" are to the amounts obligated under these contracts, task 
orders, and interagency agreements. This total also includes amounts obligated by the 
Department of Health and Human Services under contracts, task orders, and interagency 
agreements in fiscal years 2010 and 2011, before the department transferred oversight of 
exchange implementation to CMS. An obligation is a definite tegai commitment that will 
give rise to payment at some point in the future. An agency incurs an obligation, for 
example, when rt awards a rxintract 

®CMS indicated that certain of these contracts supported activities, such as state 
oversight, financial management, and risk-adjustment mode! development, in which CMS 
would have engaged even if all states planned to operate their own exchanges in 2014. 
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exchange activities CMS will be required to perform in each state, and the 
large numbers of activities remaining to be performed — some close to the 
start of enrollment— suggest a potential for implementation challenges 
going forward. And while missed interim deadlines may not affect 
implementation, additional missed deadlines closer to the start of 
enrollment could dp so. At the time of our report, CMS had recently 
completed risk assessments and plans for mitigating identified risks 
associated with the data hub, and was also working on strategies in each 
state to address state preparedness contingencies. Whether CMS's 
contingencry planning will assure the timely and smooth implementation of 
the exchanges by October 2013 cannot yet be determined. 

In commenting on a draft of the June 201 3 report on which this statement 
is based, the Department of Health and Human Services emphasized the 
progress it has made in establishing the exchanges, and expressed its 
confidence that exchanges will be open and functioning in every state by 
October 1, 2013. 


Chairman Meehan and Chairman Lankford, this concludes my statement. 
I would be pleased to respond to any questions you or other members of 
the subcommittees have. 
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Mr. Lankford. And thank you, all of you, for your testimony. 

Can anyone state to me the section of the ACA that outlines the 
data hub? So, this massive undertaking started from what within 
the law? Because it is a massive piece, obviously. I’m just trying 
to figure out what part of the law mandates that this data hub be 
created, that this is the particular vehicle to solve the problem? 

Mr. Milholland. Mr. Chairman, I will take a cut at that. It’s 
the requirement to exchange information between agencies. We 
had to find a way that would easily work to connect to the IRS and 
particularly HHS and then subsequently to the exchanges, also to 
other government agencies. When we did the architecture and de- 
sign in collaboration with HHS and the other partners, we realized 
that the simplest design, the one that would make it more likely 
that we would implement on time, was a hub concept. 

Mr. Lankford. So you’re saying that there’s a statement within 
the law that requires communication between the agencies. Is this 
also requiring communication to the exchanges as well? 

Mr. Milholland. I will let HHS answer that specifically, but I 
believe the answer is yes. 

Mr. Lankford. Okay. Does anyone know on the section of law 
where this comes from? 

Mr. Chao. I don’t — I don’t believe it’s in any section of the law. 
I think, you know, as Terry said, we’ve been working together on 
the most efficient implementation of the requirement that is in the 
law for information sharing between Federal agencies that are used 
to verify data on applications of people who are applying for 

Mr. Lankford. Okay. So there is a section that requires commu- 
nication verification on it. How much does — does anyone know the 
total cost of the hub at this point? I mean, we’ve got two contrac- 
tors that are working on it. Every agency has now started engag- 
ing. We have all these agreements for computer matching. Every 
State is also engaging in it, so we’ve got a line that’s in the law, 
someone says we need to verify, how much has this cost. 

Mr. Chao. I think that there are several line items within the 
hub, but the total picture, as GAO reported, is about $394 million 
that CMS has budgeted and obligated for the various contracts to 
build the capabilities for the marketplace. 

Mr. Lankford. Okay. And then we’ve got several different pieces 
here. We have the data hub, obviously connecting all the agencies 
there where you’re saying information is not stored at the data 
hub. 

Mr. Dicken referred to it’s almost done in realtime, I believe, was 
the statement that was made there. Is it really realtime that’s done 
or are we batching all these reports? 

Mr. Chao. The vast majority of the design is for realtime re- 
sponses and realtime requests to get the data. 

Mr. Lankford. So, exchange hits the hub, makes the query, 
comes back seconds later, or does it come back hours later? That’s 
what I’m trying to figure out on it, the batch schedule here. 

Mr. Chao. The service levels agreement, for example, with IRS 
is between 5 and 8 seconds 

Mr. Lankford. Okay. That’s terrific. What about the caching of 
information. So when the request is made, how long is the cache 
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to be able to hold on to that information as it’s going through the 
process? 

Mr. Chao. The “caching,” and I put quotes around that, is kind 
of loosely used. When an individual is applying for the marketplace 
and they begin to enroll or request enrollment via the online appli- 
cation, they can pause and save that application into what we call 
a “My Account,” and that’s on the marketplace system side. 

Mr. Lankford. Okay. So, that is stored information. So, in the 
data hub, you’re saying, the caching is the best way to do it is over 
here, so how long is the cache in the data hub section of it? 

Mr. Chao. It is a consumer — when it comes to the application 
and their data, it is a consumer-elected, quote-unquote, “caching” 
of information saved in their “My Account.” In the hub, the time 
to live is very short. If there is no question and response match, 
that data is then removed. 

Mr. Lankford. So you’re talking 10 minutes, 20 minutes, an 
hour, somewhere through there? 

Mr. Chao. Within minutes. 

Mr. Lankford. Okay. All right. Then let’s go on the other — on 
the consumer side, where you’re saying — talking about “My Ac- 
count” because that is where stored data is located. Give me exam- 
ples of some of the fields. 

Ms. Tavenner, you mentioned a couple of those. Social Security, 
birthdays and such. What are some of the other fields that are 
there? 

Mr. Chao. Names of household members, address, the require- 
ment to supply valid Social Security numbers. 

Mr. Lankford. Ethnicity, is that included as well? 

Mr. Chao. I believe there are race and ethnicity 

Mr. Lankford. Okay. So, home address. Is there a phone num- 
ber that’s included in that? 

Mr. Chao. Yes. 

Mr. Lankford. Email address? 

Mr. Chao. Yes, contact information. 

Mr. Lankford. All of the — does it have the questions about em- 
ployer-sponsored coverage, is that included in that part as well? 

Mr. Chao. Yes. 

Mr. Lankford. Just questions about some of the background on 
it. Veteran status? 

Mr. Chao. Yes. 

Mr. Lankford. So, family members, you mentioned that. Does it 
just list out family members or list out the details of the family 
members? 

Mr. Chao. It — I think when we examined verification and deter- 
mination of eligibility for premium tax credits with — in conjunction 
with IRS and also examined Medicaid and CHIP eligibility, there 
are some information that’s used for different programs. 

Mr. Lankford. Okay. Let me run through several here. Indian 
tribe? 

Mr. Chao. Yes. 

Mr. Lankford. Tribal member is listed there. 

Mr. Chao. Yes. 

Mr. Lankford. Pregnant, would that be a question that would 
be asked or 
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Mr. Chao. It depends on a series of what we call a pattern of 
answers that would indicate that that might be a question associ- 
ated with 

Mr. Lankford. Obviously, “female” would be one of those, I 
would assume, in that pattern? 

Mr. Chao. I would think so, but it could be a household member 
that is not the applicant, but that’s mostly used for 

Mr. Lankford. But that is a possibility that’s in there. Applicant 
income, request of that? 

Mr. Chao. Yes. 

Mr. Lankford. Disabled, would that be listed as part of it? 

Mr. Chao. Disability, no. 

Mr. Lankford. Okay. All right. So that this information is gath- 
ered and it’s stored how long? 

Mr. Chao. For — once the enrollment is established, you know, 
via the “My Account.” 

Mr. Lankford. So the “My Account” is set up, that information 
stored in that section, stored how long? 

Mr. Chao. It is stored for as long as the person is seeking access 
to affordable care and wants to enroll via the marketplace. 

Mr. Lankford. Okay. We’ll have a lot of questions for you. I 
want to be able to honor everyone’s time in the day on this, but 
I want to just set some basic parameters of what we’re talking 
about, because we are really talking about two different systems. 
Data hub may not store anything, but we do have a data system 
that is storing large amounts of information as well, and so we’ll 
have to be clear as we walk through it and try to make sure that 
we’re using correct terms as we walk through it; is that okay? 

Okay. Ms. Speier. 

Ms. Speier. Mr. Chairman, thank you. 

And thank you again to all the witnesses. 

Three issues, privacy, security, fraud, that’s what we’re focussing 
on today. 

Let me start with Mr. Werfel and ask you a question about pri- 
vacy. 

Given the number of different agencies involved, what measures 
has the IRS implemented to guarantee that sensitive taxpayer in- 
formation is protected when it enters the data hub? 

Mr. Werfel. Thank you for the question. We, as I mentioned in 
my opening statement, we have a longstanding process because the 
Tax Code has previously allowed for, in certain situations, the IRS 
to share taxpayer information to Federal and State agencies, so 
over time, we built a very robust process that we’re leveraging for 
the manner in which we’ll share information under the ACA, which 
created a new exception under the Tax Code. 

That process is anchored around what we call a safeguard proce- 
dures report, and essentially, if you are to receive taxpayer infor- 
mation from the IRS, then you have to have an approved safeguard 
procedures report in place that IRS — and it’s a very robust set of 
requirements. IRS reviews and approves that procedures report, or 
SPR, and then we monitor and do like on-site visiting to make sure 
that they are complying with those procedures that they outline. 
They deal with things like recordkeeping, restricted access, em- 
ployee awareness about the sensitivity of the information, internal 
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inspections to make sure that the procedures that are in place are 
robust, disposal of records when they are no longer needed, making 
sure that only those records that are needed — that are used are 
needed. 

So, it’s a — ^you know, we have, as an example, just to give you 
a sense of how robust it is, just a template for what a State agency 
or Federal agency or the hub, in this case would, need to fill out 
is 61 pages, and that’s just a template of what’s required. 

So, really, we have a very robust set of requirements that are 
well battle tested over the years. We go through a robust process 
to review it and then we do on-site monitoring to make sure that 
the agency involved, whether it’s the hub or a State agency or an- 
other Federal agency are making good on their commitments. 

Ms. Speier. Is there any penalty if they somehow have it 
breached? 

Mr. Werfel. Well, there are ongoing reviews that are done by 
the inspector general as an example. There can be severe penalties 
for willful breaches. What the inspector general, I can let Mr. Dun- 
can speak to that, usually do is determine whether the breach was 
inadvertent or willful, and if it’s inadvertent, then they would issue 
some type of report that would establish new sets of requirements 
that we may need to do to make sure that such inadvertent disclo- 
sures don’t occur again. If it’s willful, they may refer to the Justice 
Department for potential prosecution. It just depends on the cir- 
cumstances. 

Ms. Speier. Okay. Now, I’m going to jump first to fraud and then 
come back to security because in my mind, security is the issue 
here. In terms of fraud, the chairman had referenced that there is, 
in effect, an honor system in place, and while that may be the case, 
because you’re self-attesting it to, it’s an honor system with con- 
sequences, is it not? If, in fact, you say you make $40,000 a year 
and are eligible for a premium credit, when it comes tax time the 
following year, if you really made $150,000, that subsidy has to be 
returned to the coffers of the U.S. taxpayers; is that not true? 

Mr. Werfel. Generally. If I could have a second to explain. 

So a couple of important things about the fraud and error risk 
associated with the ACA. 

First, what’s happening when the individual enters the market- 
place and seeks a premium tax credit, the system is set up so that 
any funds that they may be eligible or not eligible for because 
they’re trying to defraud the system don’t go to the individual. 
They go to the insurer. 

So the individual can try to penetrate the system and gain 
money, but they’re not going to get money. The money is going to 
be sent to the insurers. 

Ms. Speier. They’re going to get health care. 

Mr. Werfel. They’re going to get health care. And they might 
get more affordable health care than they’re otherwise eligible for. 

And at the back end, when they’re reconciling, it may be that 
they were eligible for too much when we see what their actual in- 
come is when they file their taxes, and then they’ll owe potentially 
some more money. 

It may be that we didn’t determine that they were eligible for 
enough. But what that will mean in that case is they have been 
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paying into this process, to the exchange, too much money than 
they should have, so we’re only reimbursing them the cash that 
they’ve already paid in. 

Now, there is 

Ms. Speier. I’m running out of time, and I want to get — thank 
you — to the more critical issue. 

I believe that the hub has a bull’s eye on it and that the poten- 
tial for it being hacked is great. And while there’s been testing that 
has been undertaken, does “testing” mean that we’ve allowed, you 
know, high school computer science whizzes to try and hack into 
the system? 

Mr. Chao. No, Congresswoman. The testing involves security 
professionals with predefined security protocols that are embedded 
and automated procedures that, for example, to try to penetrate 
the system and to emulate a potential hacker, as well as it scans 
for poor quality of code development with big holes in it so that 
people can actually infiltrate the system. 

And it also includes examining audit procedures and the ability 
to log access to the system and provide the traceabilities that audi- 
tors need in order to see who has been accessing what data with 
the right — with the correct roles and permissions. 

Ms. Speier. My time has expired. 

Thank you, Mr. Chairman. 

Mr. Lankford. Mr. Meehan? 

Mr. Meehan. Thank you, Mr. Chairman. 

And I want to jump off of what the gentlelady from California 
said about this being — looking at it from the security perspective, 
and also to talk about it from the perspective of what the chairman 
said. 

And this is not a partisan effort to try to go put you on the spot. 
And I also appreciate that you are the people who have been trying 
to implement this. 

But I also have grave, grave concerns about the scope of informa- 
tion that is being put together by this system that you put together 
because, you know, it was required just to make it work. And I’ve 
been struck by the observations of numbers of people who are out- 
side the organization, as well. 

So I know you, Ms. Tavenner, have discussed that you are trying 
to take the minimal amount of information that is necessary. But 
what is necessary to make the system work has been discussed by 
Stephen Parente of University of Minnesota, who studied perhaps 
the largest consolidation of personal data in the history of the Re- 
public. Do you dispute that? 

Ms. Tavenner. One thing I would remind the committee is that, 
currently, we are used to storing and having personal information 
on large numbers of individuals, such as in the Medicare program, 
in the Part D program. We take it very seriously, and we go 
through the highest security and privacy protections. 

Mr. Meehan. I know you take it seriously. The question is 
whether you’re prepared to have this information protected against 
the kind of and scope of probes that are taking place in the real 
world today. 

I’m going to read some observations from some people who, you 
know — “This national insurance exchange system will be the larg- 
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est IT system ever created in our history, and they’re not sure how 
it will work, and they cannot assure the security of this very pri- 
vate data. They are extensive government data-sharing systems 
that lack information security and offer easy access to hackers, 
identity thieves, and others interested in surreptitiously gaining 
access to private information.” This was Twila Erase from the Citi- 
zens’ Council for Health Freedom. 

“Nothing like this has ever heen done to this complexity or scale 
and with a timeline that puts it behind schedule almost before the 
ink was dry.” This was Rick Howard, who has an advisory firm, the 
Gartner firm. 

This is Jim Spatz, a senior advisor at Manatt Health Solutions: 
“As crunch time is coming, they’re just muddling through and fig- 
uring out shortcuts. It might not be elegant, but this is how they’re 
trying to make the law work.” 

These are the observations of some of the people who are outside 
the system observing it. Are they accurate? 

Mr. Chao. Congressman, I would refute that to say “no,” because 
CMS has vast experience — for example, there are nearly 50 million 
Medicare beneficiaries, and we have databases and systems that 
operate in an architectural and technical pattern very similar to 
what the marketplace requires, including, you know, application for 
enrollment, processing eligibility verifications, checking various 
sources of data, allowing for people to come back in to report life- 
changing circumstances, working with SSA to remove them when 
we receive a date-of-death notice. 

I think all these operations at a very, very super-scale level in 
health care, CMS has applied this experience to the marketplace 
program. 

Mr. Meehan. Would you — I understand what you’re trying to do 
at CMS. Are you aware of what’s going on today. Quantum Data 
2, the testing thing that’s being done right now on Wall Street 
today by the major New York banks? 

Mr. Chao. No, I’m not. 

Mr. Meehan. Do you think that your system is more or less se- 
cure than that that is being put together by the best banks in the 
United States? 

Mr. Chao. I really can’t speak to that because I’m not aware of 
what they’re doing. 

Mr. Meehan. Well, they’re walking through, as we speak, with 
regard to the ability to — that their recognition that they are, in ef- 
fect, being so remarkably challenged by the ability of complex net- 
works, be they criminal, be they state-oriented, be they otherwise, 
to get into information systems that they have responsibility over. 

And I’m not sure that I’m aware of any system that has more 
personally identifying information than your system currently. And 
the question is the degree to which we’re capable of being able to 
protect those systems. 

My time has expired, but I’m looking forward to following up spe- 
cifically on some of the questions with regard to that. 

Ms. Tavenner, do you have a comment? 

Ms. Tavenner. The comment I would make is that there cer- 
tainly is a lot of speculation out there about what’s going on inside 
CMS. And what I know is that the process that we are following. 
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we are used to working — we have lots of experience with working 
with big data sets. 

And we are following, going back to the Privacy Act of 1974, 
moving forward, to make sure that we have the highest degree of 
security and privacy protection. And we are on schedule to get that 
done 

Mr. Meehan. Do you know, what is the highest degree of secu- 
rity protection? Do you know, yourself, what that is? 

Ms. Tavenner. So I know, working with the team, that we start 
with certain standards that are required by the government, and 
we follow those standards completely and thoroughly. And then we 
have a continuous monitoring process, we have a continuous train- 
ing process 

Mr. Meehan. Ms. Tavenner, let me ask a question. When was 
the last time that you have sat in on a secure briefing by the FBI 
or the Department of Homeland Security giving you the current 
state of the cyber threat to data systems in the United States? 

Ms. Tavenner. I don’t know that I’ve sat in on an FBI briefing. 
We certainly have briefings inside HHS, and I did sit 

Mr. Meehan. But no, no, no. I asked you a specific question. The 
two agencies that have the specific responsibility to understand the 
scope and nature of the threat — are you telling me that you are the 
person who is responsible for putting together what may be the 
biggest data system of private information in the history of the 
United States, according to testimony of numbers of people, and 
you have never been to a secure briefing by the FBI or Homeland 
Security about the current nature of the threat to data systems? 

Ms. Tavenner. And I am telling you that I have been to a secure 
briefing. 

Mr. Meehan. With whom? By HHS or FBI? 

Ms. Tavenner. With HHS. 

Mr. Meehan. Well, but that is not Homeland Security, is it? 

Ms. Tavenner. No, sir. 

Mr. Meehan. No, it is not, nor is it the FBI, who are the two 
responsible for understanding the nature of the threat. 

I will pursue my questioning. Thank you, Mr. Chairman. 

Mr. Lankford. Ms. Clarke? 

Ms. Clarke. Let me thank you. Chairman Lankford, Chairman 
Meehan, and thank Ranking Member Jackie Speier for submitting 
my testimony to the record. 

And thank you, witnesses, for your testimony here this morning. 

My first question will go to Mr. John Dicken. 

Your report on the development of the Affordable Care Act data 
hub is the first of its kind for these healthcare programs, which 
means we are still learning about how to go about assessing the 
progress of the effort. You noted that 15 of the 34 States where 
Federal health officials are running the exchanges will play some 
role in their operation, and this is a good sign. 

With about 7 million citizens expected to enroll in healthcare 
plans, would you tell us first about the key milestones that have 
been met and the plateaus that have been reached in such a mas- 
sive undertaking? 

Mr. Dicken. Thank you. Ranking Member Clarke. 
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You are right that our report did look at two of the key mile- 
stones that have been met. We issued our report last month and 
highlighted some of the progress that has been made — notably, 
issuing key regulations and guidance that are necessary for estab- 
lishing the exchanges and the data hub; establishing, building, and 
developing and implementing some of the data systems that are 
necessary; and beginning some of the process for testing that is 
still ongoing. 

Since our report came out last month, there have been some 
other public milestones that have been met. I know that CMS has 
relaunched the healthcare.gov website. 

There are still a number of big challenges remaining, though. 
Our report does highlight that there are still a number of key mile- 
stones that do need to be met before October 1st and the open en- 
rollment. 

Ms. Clarke. I would like to also hear from agency staff present 
about what milestones they feel have been reached and how they 
see their progress. 

Mr. Chao. For CMS, we manage and administer the majority of 
the testing with the key business partners, which are the issuers 
or insurance companies that offer qualified health plans in the 
marketplace. We began testing with them in June extensively and 
stepping into greater and greater iterations of more complex test- 
ing that involved enrollment that are orchestrated with the issuers 
and their ability to receive an enrollment transaction and an ac- 
knowledgment and, finally, into a payment and a payment ac- 
knowledgment. 

The States we have been testing extensively since February, so 
those have been major milestones. Starting this week, we have con- 
ducted the testing in waves, and States have been coming in in 
various waves. You know, one through four is what we categorize 
it, with four being the vast majority of the more complex testing 
with the hub primarily and the ability to receive information when 
a federally facilitated marketplace is detecting the potential for 
Medicaid and CHIP eligibility. 

That testing in the fourth wave began this week, and we have 
40 States participating. And when the 40 States are testing with 
us, we will have all the States that have done some level of testing 
with us, with the 40 probably being the vast majority between now 
and August. 

Ms. Clarke. Does anyone have anything else to add? 

Mr. Werfel. I would just add to that from the IRS perspective. 
We also, similarly to HHS, are on schedule. We have a variety of 
information technology builds and upgrades that are necessary to 
meet the information-sharing requirements within the ACA, and 
that we’re generally on target with respect to all of those mile- 
stones. And we have a very high degree of confidence of readiness 
when October 1 hits and the open season enrollment begins. 

Ms. Clarke. Well, that sounds good. 

Let me go on and ask, can you update us on the Federal Data 
Services Hub testing activities, including the list of tests, which 
agency and stakeholder tested the data hub in each event, the re- 
sults of each test, and when the testing will be complete? 
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Mr. Chao. We certainly can do that. I can generally run through 
right now in just a few minutes. But I think, working with GAO 
and other folks that want to come in and take a deep look at the 
range and depth of our testing by testing partner, we can certainly 
provide that information. It is available. 

The testing that will occur in the next 70-plus days or so is large- 
ly looking at what was mentioned earlier as integration testing. 
Some folks like to use the term “end-to-end testing,” as if there is 
just this one giant thread from start to finish of all these complex 
processes that have to, in essence, have a handshake to move this 
data and respond to data in order to fulfill the request for enroll- 
ment. 

We are taking segments of that or hops of that process and test- 
ing the integration, for example, between IRS and the data hub, 
the data hub with the marketplace systems, and the marketplace 
systems with the issuers. 

So that’s just a very, very high-level example of how we break 
down that integration testing into those hops and to look at the 
interfaces and the data flows that are necessary to support that 
business process. 

Ms. Clarke. Thank you. And if you could submit to the com- 
mittee just a little detailed testing arrangements, that would be 
something that we’d like to have. 

Mr. Chao. We can certainly do that. 

Ms. Clarke. Thank you. 

Mr. Chairman, I will yield back. 

Mr. Lankford. Thank you. 

I recognize the chairman of the full Committee on Oversight, Mr. 
Issa. 

Oh, he’s not here right now. He had to slip out. 

Mr. Jordan? 

Mr. Jordan. I thank the chairman. 

Mr. Werfel, we’ve been given two titles for this individual. We’ve 
been given the title Project Manager for the Affordable Care Act 
and Director of the IRS’s Affordable Care Act Office. Who is that 
individual? 

Mr. Werfel. I’m sorry, can you repeat the two titles? 

Mr. Jordan. Project Manager for the Affordable Care Act and Di- 
rector of the IRS’s ACA Office. Isn’t it true that that individual 

is 

Mr. Werfel. Yeah, I mean. I’m just — you know, we have title 
changes, but I think you’re referring to Sarah Hall Ingram. 

Mr. Jordan. All right. And how long has Ms. Ingram worked at 
the Internal Revenue Service? 

Mr. Werfel. I don’t know the answer to that. 

Mr. Jordan. Our records show that she has worked there since 
1982, 30 years. And prior to taking over the ACA Office, what was 
Ms. Ingram’s title? 

Mr. Werfel. Commissioner for the Tax-Exempt Government En- 
tities organization. 

Mr. Jordan. And this is the very organization where the tar- 
geting of conservative groups took place; isn’t that correct? 

Mr. Werfel. It is the organization that was the subject of the 
IG report that I think you’re referring to. 
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Mr. Jordan. Yes. And this is also — Ms. Ingram was also Lois 
Lerner’s boss; isn’t that correct? 

Mr. Werfel. I believe for a period of time, yes. 

Mr. Jordan. When the targeting took place, for 2 of the 3 years 
that the targeting took place, according to our records. 

And isn’t it true that Ms. Ingram was invited to be a witness at 
today’s hearing? 

Mr. Werfel. That is true, yes. 

Mr. Jordan. And isn’t it true that you called Mr. Lankford and 
asked that she not come and that you come instead? 

Mr. Werfel. What I told Mr. Lankford was, based on the topic 
of this hearing, which deals with data, data integrity, and privacy, 
that I felt that Mr. Milholland was a better technical expert be- 
cause he’s our Chief Technology Officer, and Ms. Hall Ingram does 
not deal as directly in the issues of data safeguarding. 

Mr. Jordan. Is Ms. Hall Ingram in Washington today? 

Mr. Werfel. Yes, she is. 

Mr. Jordan. So there’s no family responsibilities, no health con- 
cerns, no other reason why she couldn’t be here today? 

Mr. Werfel. I don’t know about any of those situations person- 
ally, no. 

Mr. Jordan. But, to best of your knowledge, she’s working, she’s 
a few blocks away today, right? 

Mr. Werfel. Yes, she’s at the IRS. 

Mr. Jordan. Okay. And I know you’ve testified five times in 
front of various — or six times, I think you said, in front of various 
committees. But how long, again, have you been at the IRS? 

Mr. Werfel. Roughly a month and a half. 

Mr. Jordan. Okay. 

Mr. Werfel. Coming up on 2 months. 

Mr. Jordan. All right. 

We want to put on the screen here a couple slides, if we could. 
And just so you — this was a presentation given to the IRS Over- 
sight Board May 2nd of this year. 

And then I want to go to page 5, because this relates directly to 
most of your opening statement, Mr. Werfel, where you talked ex- 
tensively about 6103. But I want to read — it may be a little dif- 
ficult. I’ll read the second bullet point. 

“The ACA added Section 6103(i)(21) to authorize the IRS to dis- 
close Federal taxpayer information to exchanges, Medicaid, and 
CHIP agencies and their contractors to support income verification 
for ACA needs-based eligibility determinations.” 

6103 info is pretty important information; isn’t that correct, Mr. 
Werfel? 

Mr. Werfel. Absolutely. 

Mr. Jordan. Almost viewed as sacred, correct? 

Mr. Werfel. Within the IRS, for sure. 

Mr. Jordan. Yeah. In fact, you’ve used that, you’ve used 6103 as 
a reason not to answer some of my questions I’ve asked you in 
some of those previous appearances you’ve had in front of this com- 
mittee. And most of your testimony dealt with it. In fact, there’s 
a story in yesterday’s Washington Examiner where this was 
breached and a political figure had personal information, donor in- 
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formation, that went public, according to the Inspector General. So 
this is important stuff. 

Do you know who happened to — do you know who gave this brief- 
ing to your Oversight Board on May 2nd, 2013, Mr. Werfel? 

Mr. Werfel. I don’t know, but I’m assuming you’re going to tell 
me. 

Mr. Jordan. Yeah, we are. Who do you think it is? Can you haz- 
ard a guess? 

Mr. Werfel. If you would allow me, I mean, I think we can get 
to some of the points you’re tying to raise. I’m not going to dispute 
that Ms. Hall Ingram is not integrally involved in our ACA work. 
What I’m 

Mr. Jordan. No, no, no, wait, wait. What you just said a few 
minutes ago, maybe a minute and a half ago, was you were the 
person best equipped to answer our questions, even though the 
chairman invited Ms. Hall Ingram. And yet Ms. Hall Ingram is the 
very person who gave this briefing talking about 6103 information, 
which you highlighted in your testimony as being so darn impor- 
tant. 

So the very lady who is doing the oversight briefing to the Over- 
sight Board who we wanted to have come talk about this informa- 
tion, making sure taxpayer information was confidential, gave that 
briefing, you called up Chairman Lankford and said, “No, no, I 
don’t want her to come. I’ll come instead.” 

Mr. Werfel. Can I respond? 

Mr. Jordan. And you’ve been here all of 63 days. She’s been here 
31 years, since 1982. In fact, she’s the central figure in two of the 
biggest stories in the country, the IRS targeting and the implemen- 
tation of Obamacare. And these two gentlemen asked her to come, 
and you called up and said, nope, we don’t want the lady who 
briefed the Oversight Board, we don’t want her to come; I’ll come 
instead and use my 63 days of expertise, versus her 32 years, 31 
years of expertise. 

Ms. Speier. Mr. Chairman, with all due respect, Mr. Werfel has 
presented himself very, very competently in every area and 

Mr. Jordan. Mr. Chairman, did I yield the time? I don’t think 
I yielded her time. 

Mr. Lankford. Yeah, the gentleman did not yield on it. I want 
the gentleman to be able to retain the time 

Mr. Werfel. May I respond? 

Mr. Lankford. — and for Mr. Werfel 

Mr. Jordan. Yeah, you can respond. I hope you will respond. 

Mr. Werfel. I will respond. 

Mr. Lankford. And, Mr. Werfel, absolutely, we’ll give you the 
time to be able to respond. 

Mr. Werfel. I appreciate that. 

First of all. Congressman, I don’t agree with your characteriza- 
tion of the nature of my phone call with Mr. Lankford and the rea- 
son why I and Mr. Milholland are sitting here today. 

What I feel is appropriate and what I think IRS historically feels 
is appropriate is, when there’s a hearing, we balance a lot of dif- 
ferent factors in figuring out who the best witness is to present the 
information to Congress. Two of those factors are accountability — 
and I’m the most senior accountable official within the IRS 
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Mr. Jordan. I understand that. 

Mr. Werfel. — and second is technical knowledge and expertise 
on this subject matter. 

The hearing invite that we received asked us to pay particular 
attention on our coordination with other agencies, HHS and IRS co- 
ordinations, regarding safeguards of the personal data of individ- 
uals who purchase coverage through the exchanges. 

So what I suggested to Mr. Lankford is a combination of me, the 
most senior accountable official in the organization, and the Chief 
Technology Officer of the IRS, Mr. Milholland 

Mr. Jordan. And, Mr. Werfel 

Mr. Werfel. — would provide the best input to the sub- 
stantive — 

Mr. Jordan. I get it, Mr. Werfel. 

Mr. Werfel. — content of this hearing. 

Mr. Jordan. And I respect that. 

But if I could, Mr. Chairman, we have the minutes, we have the 
meeting notes from that presentation given by Ms. Hall 
Ingram 

Mr. Werfel. She’s knowledgeable on these issues. I’m saying 

Mr. Jordan. No, no, no, but let me just read. 

Mr. Werfel. — Mr. Milholland is more knowledgeable. 

Mr. Jordan. Just let me read. Well, if he’s more knowledgeable, 
why didn’t he do that briefing? 

So let me ask you — here’s what it says. “Ms. Ingram discussed 
the security and safeguard programs at the IRS, that the IRS has 
in place regarding sharing of data among its partners.” If he’s the 
expert, he should’ve done that briefing. 

And, frankly, the chairman didn’t ask for Mr. Milholland. They 
asked for Ms. Sarah Hall Ingram, who is head of the Affordable 
Care Act Office at the IRS. 

Mr. Chairman, I yield back. But, I mean, look, we’ve got the two 
biggest issues, maybe the two biggest issues in the country, the 
lady who’s at the center of the storm in both of those. We asked 
her to come here, and she doesn’t come. Even though she’s briefing 
everybody else on the issue, she won’t come brief the Congress, just 
like Lois Lerner won’t talk to Congress. 

Ms. Speier. Mr. Chairman, I have a point of inquiry. 

Mr. Lankford. Yes, ma’am. 

Ms. Speier. We have a 5-minute limit per Member. Mr. Jordan 
just exceeded it by 1 minute and 48 seconds. 

This is a hearing on evaluating privacy security and fraud as it 
relates to ACA, and this entire questioning was whether or not a 
particular individual should have been here versus the head of the 
agency. 

If we are going to conduct this hearing 

Mr. Jordan. Mr. Chairman? 

Ms. Speier. — as a witch hunt 

Mr. Jordan. It’s not a witch hunt Mr. Chairman. 

Mr. Lankford. Hold on. 

Mr. Jordan. Would the gentlelady yield? 

Mr. Lankford. The gentlelady has the time. Hold on. 
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Ms. Speier. — then I will object. I want this to be an oversight 
hearing by this committee. You have shown great leadership in this 
committee. 

I believe that what we should be doing is looking at where the 
holes are, in terms of making sure the ACA is effective as it is 
rolled out, where the resources need to be employed, where there 
may be loopholes, where there are issues that we have to address. 
And that’s what I hope this hearing will continue to do. 

Mr. Lankford. There are multiples of those 

Mr. Jordan. Mr. Chairman? 

Mr. Lankford. I will yield to the gentleman. 

Mr. Jordan. I would just ask unanimous consent to enter the 
meeting notes from the very meeting Ms. Hall Ingram briefed the 
IRS Oversight Board, specifically this sentence: “Ms. Ingram dis- 
cussed the security and safeguard programs the IRS has in place 
regarding the sharing of data among its partners, including those 
for ACA programs,” end of story. 

Mr. Lankford. Yeah. Without objection. 

Mr. Lankford. The time period is obviously at the discretion of 
the chair. There have been a couple Members that have gone over 
by a couple minutes, some as long as 2 minutes, actually, so far 
in our time period. 

We are going to try to honor the 5-minute time period, but I’ve 
always been fairly loose on that with Members on both sides, that 
if there is an appropriate question that’s going on and they want 
to give an appropriate response — and, Mr. Werfel, I do want you 
to still have time to respond to Mr. Jordan’s question that he ended 
with, if you choose, to be able to do that, as well. 

We did have an interchange, we had multiple conversations on 
that. It was very respectful of your position. You obviously have a 
difficult spot. You’re walking into the middle of a lot of issues with 
the IRS. This is one of several and a moving target. 

I did express to Mr. Werfel that I felt Mrs. Ingram seemed to be, 
as we’re looking at the flowchart, the best person to be there. Obvi- 
ously, Mr. Milholland has a crucial role in the data transfers on 
that. Mr. Chao has an incredible role in this from the HHS per- 
spective and what’s happening. A lot of what we’re dealing with 
deals specifically with the regulatory nature of this. 

So, Mr. Werfel 

Mr. Werfel. The only thing I would say — and I can be very 
brief — is that there are multiple people within the IRS with sub- 
stantive understanding of the issues of 6103 and the safeguarding. 
You have two individuals right now, one that’s the accountable offi- 
cial and one who is a subject matter expert on the issue, and we’re 
here and ready to answer any substantive questions you have on 
these matters. 

Mr. Lankford. Yeah, we will continue to press on with that. 

Mr. Cardenas, you are recognized. 

Mr. Cardenas. Thank you very much, Mr. Chairman. 

I would like to compliment the witnesses so far. It must be pretty 
trying, trying to stay on point even though some of the questions 
are trying to take us all off point here. And it’s unfortunate that 
some members of this committee and this subcommittee are just 
hellbent on wanting to bring issues back before the public that 
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really are not as relevant as the substantive issues as to why this 
hearing was even convened. But I would like to get us back on 
point. 

In an opinion piece published in the U.S. News and World Report 
in June, Congress Representative Diane Black made allegations 
about the data hub that we’re talking about today. I’d like to men- 
tion one in particular and would invite the panel to comment and 
clarify, if necessary, about this information that was put out to the 
public by Congresswoman Diane Black. 

Congresswoman Black wrote, and I quote, “For the purposes of 
implementing and enforcing Obamacare, the Department of Health 
and Human Services, through regulator fiat, is building this hub, 
a Web portal where personal information such as medical records, 
tax and financial information, criminal background, and immigra- 
tion status will be shared and transmitted between agencies, in- 
cluding the IRS, HHS, the Department of Justice, Department of 
Homeland Security, and the Social Security Administration, as well 
as State governments.” All right? And that’s the end of that quote. 

Ms. Tavenner and Mr. Chao, can you clarify, will personal med- 
ical records be accessible through the data hub? 

Mr. Chao. No, they will not be. 

I think the quote or the description is a bit inaccurate, in terms 
of it doesn’t describe about the flow of information, the type of 
data, and, certainly, we are not collecting, you know, personally 
identifiable health information on any individuals throughout this 
application process. 

Mr. Cardenas. Anything else on that point? 

Okay. Thank you. 

It’s important that there perhaps should be penalties for any 
misuse or disclosure of information. As far as you can tell, would 
there need to be congressional approval to implement levels of civil 
or criminal penalties for those who would willfully and knowingly 
violate privacy laws? 

Mr. Chao. I’ll also defer to IRS for their piece. 

I think, for us, there are already civil and monetary kind of pen- 
alties under U.S. Code that govern access to Federal Systems, of 
which, you know, we do apply that. Specifically to this application 
process. I’m not aware of anything that has changed with that in 
the application of those civil monetary penalties under U.S. Code. 
So I will — I can certainly get back to you with more specifics on 
that. 

Mr. Cardenas. Thank you. 

Mr. Werfel. And I was just going to reinforce that by saying 
that the protections that we’re putting in place on the data are 
leveraging longstanding, existing procedures that are in place, in- 
cluding penalties and approaches, working with the Inspector Gen- 
eral, that we have long-term experience with. 

Because, as I mentioned earlier, this is not the first time that the 
law has contemplated sharing taxpayer information from the IRS 
out into other Federal agencies and other State agencies. And so 
we have a strong track record of robust processes, and those are 
going to be leveraged here. 

Mr. Cardenas. Are they getting better, those processes, as tech- 
nology changes and as we have to defend ourselves from attacks? 
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Mr. Milholland. I’ll answer that from the point of view of the 
IRS. 

We use a defense in depth and breadth concept. That is, what- 
ever the access controls might be, for example, there are eight lev- 
els of protection as you come into the IRS electronically. But there 
is also a breadth approach that says, not just access controls, but 
preventative measures you might want to take for insiders, say, 
and a number of implementations of technical capabilities that 
allow us to try to be detect if there is inappropriate access to the 
information. 

So these same kind of practices we pass over to our Safeguards 
group and, particularly, provide our cybersecurity experts from In- 
formation Technology to assist them in their safeguard reviews. So 
those reviews that take place outside of the IRS have the best tech- 
nical support that’s available to the IRS, in which we’ve built what 
we believe is a — I’ll say a best-in-civil-government approach to in- 
formation security. 

Mr. Cardenas. Thank you very much. 

With what little time I have left, I would like to thank the panel- 
ists. I think you’ve been doing a really good job trying to stay on 
point and continuing to answer the questions as honestly and 
forthrightfully as you should be before any congressional hearing. 

And I would hope that you would share with your colleagues, 
whenever they’re summoned to this committee or any committee, 
to watch this tape so that you can show them that you can stand 
your ground and don’t succumb to badgering and things of that na- 
ture trying to get you off point. Thank you so much for your profes- 
sionalism. 

I yield back. 

Mr. Lankford. Mr. Walberg? 

Mr. Walberg. Thank you, Mr. Chairman. 

And thank you to the panel for being here. And we’re not going 
to attempt to badger in any way, but we would like answers to 
questions as quickly as possible. 

Ms. Tavenner, thank you for being here. Let me ask you, in rela- 
tion to the HHS issuing a final rule that requires a taxpayer en- 
rolled in a health plan through a State exchange to report certain 
changes in circumstances within 30 days, these include changes in 
residency, as I read it, and income. Is that accurate? 

Ms. Tavenner. I believe so, but I’d have to double-check the 
rules. 

Mr. Walberg. Well, let me follow up, hoping that maybe this 
will help. 

The question I would have: If, indeed, this is the case, a 30-day 
requirement, if I get a raise, if I get a demotion, if I start a new 
job, if I lose a job, am I required to run to my State exchange and 
notify them of those changes? 

Mr. Chao, if you could. 

Mr. Chao. Commissioner Werfel mentioned earlier that the proc- 
ess allows for a reconciliation via the tax-return-filing process of 
any advance premium tax credits that were paid on your behalf to 
the issuer that you enrolled in. And while we, on a consumer, you 
know, kind of customer service perspective, ask people to report it 
as early as possible 
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Mr. Walberg. Well, it says 30 days. 

Mr. Chao. Yes. Yes. And 

Mr. Walberg. But you’re going to be flexible on that? 

Mr. Chao. Well, I think, you know, by requirement, it’s 30 days, 
but if something were not to be, you know, kind of reported in that 
time span — and we are recommending for people to report changes 
timely — there is the reconciliation that will kind of pick up any ad- 
justments that are necessary. 

Mr. Walberg. So even I leave a State where my exchange was, 
or my marketplace, I guess is the new term, I will have some flexi- 
bility on reporting? 

Mr. Chao. Correct. 

Mr. Walberg. Okay. 

Let me move on. Ms. Tavenner, this is just a yes/no series of 
questions and answers here. 

Will exchanges be allowed to enroll individuals to receive ad- 
vance premium tax credits even if their income cannot be verifled 
by the IRS, yes or no? 

Ms. Tavenner. I think there are several steps, but, yes, there is 
a possibility that if their income can’t be verifled they could still 
be eligible after they complete another series of tests. 

Mr. Walberg. Will exchanges be allowed to enroll individuals to 
receive advance premium tax credits even if their household size 
cannot be verifled by the IRS? 

Ms. Tavenner. I think household size is verifled by the indi- 
vidual and to the extent that IRS can provide it. But, yes, there 
are additional steps, including self-attestation. 

Mr. Walberg. Will exchanges be allowed to enroll individuals to 
receive advance premium tax credits even if their citizenship status 
cannot be verifled by the Department of Homeland Security? 

Ms. Tavenner. As you are aware, the Affordable Care Act only 
allows if we are able to verify citizenship or 

Mr. Walberg. Well, in this case, they’re saying they are; there’s 
no firm verification. So another flexible area where we’re really un- 
certain whether the benefits are allowed or not allowed, right? 

Mr. Chao. The process works in that, when there are accurate 
data sources to verify against what’s on the application, it is done 
so, you know, online in realtime. 

There are cases in which when data and information is not nec- 
essarily in synchronization with what the person is reporting as 
the household, we have a step in the process whereby they move 
into an inconsistency period in which we have eligibility support 
workers. It’s a complement of almost, like, customer service reps 
that will work with you to identify, you know, other means to 
verify, you know, your household size, your income. 

And while it’s kind of a labor-intensive process, we have built 
that in so that we can get as accurate a determination and enroll- 
ment as possible. 

Mr. Walberg. But while it’s going on, it’s very uncertain? 

Mr. Chao. No, it’s a process 

Mr. Walberg. Citizenship status 

Mr. Chao. Well, for the consumer’s sake or the household’s sake, 
the process continues, and they move on to receiving coverage and 
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enrollment in a QHP. But we’re, in the back end, making sure that 
that data is accurate. 

Mr. Walberg. Will exchanges be allowed to enroll individuals 
who receive advance premium tax credits even if their Social Secu- 
rity number cannot be verified? 

Mr. Chao. No. That process will go into that inconsistency or ex- 
ception process, and that’s probably a pre-, early kind of step in the 
process, because the first thing we have to do is to validate a Social 
Security number via SSA before we talk to IRS with that validated 
Social Security number. 

Mr. Walberg. If they haven’t had any previous tax returns, for 
instance 

Mr. Chao. Well, that’s why 

Mr. Walberg. — how do you verify this? 

Mr. Chao. That’s why we have that inconsistency process where- 
by for 90 days we will work with the applicant filer to make sure 
that that information, the required information, is validated on the 
application. 

Mr. Walberg. Mr. Chairman, my time has expired. Thank you 
for the additional time. This is an uncertain setting, isn’t it? 

Mr. Lankford. Ms. Lujan Grisham? 

Ms. Lujan Grisham. Mr. Chairman, thank you very much. 

And I also appreciate the opportunity to talk about the readiness 
and capability and make sure that we’re covering broad consumer 
protections, specifically privacy. 

I might point out before I get to my question that States for dec- 
ades have been collecting financial and healthcare information 
from Medicaid recipients, including children, and working very 
hard as the technology opportunities have enhanced to make that 
interoperable and realtime so that individuals aren’t doing inde- 
pendent applications by hand between one department that’s cov- 
ering developmentally disabled populations and another depart- 
ment that’s doing brain injury and another department that’s re- 
sponsible for level of care and another department that’s required 
to do the financial verifications, including going to their bank state- 
ments. 

And we’re doing that successfully. And, in fact, after 20 years. 
I’m not aware of a single State that’s had privacy issues as the core 
issue, by any stretch of the imagination, or those consumer protec- 
tions. We’ve had issues about Medicaid implementation, effective- 
ness, some fraud by providers, and all things that we should be 
looking after. But I’m not aware of anything, including hospitals 
and their discharge work and their own Medicaid eligibility send- 
ing provider to provider and provider to State, in fact, the very 
same information that we’re now going to do at the Federal level. 

So I’m happy to say that New Mexico is one of those States that 
is glad to help you do this, because we’ve been doing it successfully 
in many of these components for a long, long time. 

But to be successful. I’m concerned — and you might have covered 
this already — I’m concerned about having a budget that gives you 
the staff, that checks, that double-checks, that makes sure that 
you’re meeting the requirements that we intend in Congress, both 
for consumer protection and to make sure that we get these eligi- 
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bility issues streamlined effectively since we’re using a Web-based 
aspect here. 

So the Republican budget out of the Appropriations Committee 
cuts your budget by 24 percent. And I recognize that this com- 
mittee is concerned about IRS issues; I’m concerned. I introduced 
legislation that would clarify that “exclusive” means exclusive for 
501(c)(4)s. I don’t believe that there’s been targeting, but I think 
we don’t have the right processes involved to do it adequately and 
objectively and correctly. So this will, I think, help us. 

Commissioner Werfel, can you talk to me again specifically about 
what a 24 percent budget cut does to adequately and efficiently im- 
plement the requirements of the Affordable Care Act by the IRS? 

Mr. Werfel. It’s extremely challenging, in general. I think when 
you talk about a 24 percent budget cut for the IRS, you have to 
start with the reality that all of our mission-critical activities will 
be severely impacted. That means our ability to collect revenue, 
work with taxpayers to help them navigate the Tax Code, do en- 
forcement, go after bad actors who are seeking to defraud the sys- 
tem, meet other mandates. 

We have many legal mandates on our plate right now. We have 
work that we’re doing under a law that’s called FATCA that deals 
with disclosing information that’s in offshore accounts that’s unre- 
ported. We have legal mandates under that. 

So when you talk about a 24 percent cut, you really are nega- 
tively impacting taxpayers — small businesses, individuals, fami- 
lies — 

Ms. Lujan Grisham. So this has effects well beyond the Afford- 
able Care Act. 

Mr. Werfel. Absolutely. 

Ms. Lujan Grisham. And while, before I lose my minute, I want 
to make sure that you hit some of the specifics about the Affordable 
Care Act, and I want you to highlight that for every dollar that 
comes into the IRS — that includes the staffing resources to do the 
work that you’re required to do — it brings in about 6 Federal dol- 
lars. 

And, for me, this seems like a very political attempt to under- 
mine the implementation of the Affordable Care Act instead of 
what this committee, in particular, should do, is to make sure that 
the IRS can meet all of its obligations under current law. 

Mr. Werfel. Right. So I think the ACA tracks some of the broad- 
er responsibilities for the IRS. Our efforts to modernize — and here, 
for the ACA, we have to build technologies to meet these mandates. 
That certainly would be impacted by severe budget cuts. 

Our ability to work with taxpayers, whether on the phone or 
build new tools through IRS.gov so that they have clarity, whether 
it’s an individual or an employer, we do that in the tax law gen- 
erally. It would certainly be impacted by the ACA. Harder to get 
someone on the phone, harder to get information at a taxpayer as- 
sistance center, et cetera. 

And then we have protecting information. You know, we have 
people in place that are doing these reviews and oversight of agen- 
cies that hold taxpayer data. Significant and severe budget cuts 
would impact our ability to secure the data. 
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And then, obviously, enforcement has been a major theme in this 
hearing about fraud. We have to have tools in place, both tech- 
nology and analytics and expertise and criminal enforcement, to 
make sure that everyone’s playing on a level playing field and no 
one’s getting a benefit or money that they don’t deserve. 

Everything I just said, I think, is relevant across the IRS. Every- 
thing I just said is relevant to the ACA. And I welcome a debate 
and a dialogue around the IRS budget and, in particular, what a 
24 percent cut would do. 

Again, my bottom line is I think it’s important to look at it from 
the perspective of the taxpayer — the individual, the small business, 
the large business, the nonprofit, whatever it is. They will face very 
significant concerns and consequences with a 24 percent cut to the 
IRS, because they won’t be able to access critical services. Because 
the Tax Code doesn’t go away. They still have to comply with the 
Tax Code. They still have to comply, and they often seek and get 
IRS help in doing so. And our ability to provide that help and as- 
sistance will be compromised. 

Ms. Lujan Grisham. Mr. Chairman, I’m well over my time. I 
seek the committee’s indulgence for a quick follow-up? 

Mr. Lankford. Yes. 

Ms. Lujan Grisham. Quickly, so you’re going to have to move 
staff and shift your priorities. Have you thought about where you 
would start? Give me that. Where would you shift personnel to 
meet the Affordable Care Act implementation? 

Mr. Werfel. Well, we’re already starting — you know, if you look 
at the sequester impacts, we’re already, for example, our taxpayer 
assistant centers are closing at 1:30 now, and so less people are 
getting in. Our call centers have less people sitting ready to take 
calls, so our level of service numbers are going down. 

Ms. Lujan Grisham. Okay. 

Mr. Werfel. I mean, it’s just — the budget cuts that we face, the 
billion dollars between 2010 and 2013, which in part is due to se- 
quester, are impacting our ability to serve and to enforce. 

Ms. Lujan Grisham. Thank you. 

Thank you, Mr. Chairman, for your indulgence, and the commit- 
tee’s as well. I yield back. 

Mr. Lankford. I recognize the chairman of the full committee, 
Mr. Issa. 

Mr. Issa. Thank you. 

Mr. Werfel, when did you start at 0MB? 

Mr. Werfel. August 4th, 1997. 

Mr. Issa. And you’ve got 63 days or so in your current job. 

Mr. Werfel. Yeah, I’m coming up on my 2-month mark. 

Mr. Issa. And so you were in a key position to work with the 
President, quite frankly, during the discussion leading up to his of- 
fering and signing what became known as sequestration, right? 

Mr. Werfel. I was not involved in the Budget Control Act nego- 
tiations. I was involved, back in August 2011 when the Budget 
Control Act — my role was to work with the Treasury Department 
to prepare administratively for a potential breach of the debt limit. 
But I wasn’t on the side of 

Mr. Issa. Okay. Well, I’m just trying to understand the revi- 
sionism that’s going on here. 0MB did have a critical role, broadly. 
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in the decision that the President made to go for sequestration. So, 
you know, you’re sort of feigning that this is so terrible, when, in 
fact, this was the President’s decision, and now that it’s become 
law and it’s affecting you, you’re saying you can’t do your job. Well, 
I appreciate that that may be true, but let’s go through some num- 
bers. 

While you were at 0MB, you opposed the DATA Act that was 
passed unanimously out of this committee. To a certain extent, you 
were helpful in making sure the Senate never picked it up. 

Now, the reason for the DATA Act was to mandate structured 
data so that interoperability of government databases with strong 
enough metadata to secure and ensure that confidential informa- 
tion would always be in a way that it could not accidentally go 
from field to field in some sort of a mix so that organizations like 
the IRS, when they want to look at SEC and they want to look at 
multitude of filings, would be able to look at that data trans- 
parently in order to do better audits with less people. 

Isn’t that roughly what we sold to the Senate but they didn’t 
buy? 

Mr. Werfel. As I’ve testified before this committee wearing my 
former hat, I personally and I think the administration agreed with 
the objectives of the DATA Act. Our concerns were not about what 
you were trying to achieve; it was the how. And we were concerned 
about some of the additional bureaucratic layers of new organiza- 
tions in place with roles and responsibilities on data standardiza- 
tion, which is what caused us our concerns. 

Mr. ISSA. You know, what’s amazing is I didn’t get offered one 
amendment from the administration in order to perfect that. And, 
candidly, what we’re talking about here today, data security and 
the comfort level that interoperable databases and particularly 
those that are exposed to non-IRS employees, which will be every 
piece of information that we care about almost when it comes to 
our tax records and earnings and ultimately the healthcare infor- 
mation, is not going to be covered by a mandate but rather by good 
intentions. 

Let me go through one quick question here. As part of this proc- 
ess, this committee has been looking at the IRS and figured out 
that you gave, you know, $260 million, but a total of about half a 
billion dollars was given to a company that was at best a shell and 
perhaps a fraud. This committee had their CEO there recently. 
And you’ve had to finally cancel that contract. But on July 4th, 
2013, CMS awarded a potential 5-year contract worth $1.2 billion 
to a British company, Serco. 

Now, at least our information is that the FBI has also discovered 
Serco’s computer systems serving with the Federal Thrift Savings 
Plan were hacked. In other words, these people who are going to 
run this data have already compromised, according to the FBI, 
123,000 Social Security numbers. Additionally, the FBI has discov- 
ered that — oh. I’m sorry, that’s a repeat. Additionally, they’re also 
being investigated in Britain at some point. 

I guess my question is — Serco has an incredibly large contract 
and have proven, as of right now, a failure. Can you say with con- 
fidence that if we give them this much larger contract, that on day 
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one they’re not going to be in a position to compromise another 
123,000 Social Security numbers? 

Mr. Chao. The Serco contract is actually with CMS, and it’s 
called the eligibility support worker contract. 

And we’ve been working with Serco — just recently, you know, 
they’ve been awarded, so for the past 2 weeks we’ve been ramping 
up. And one of the top issues that we’re going over is the security 
rules and procedures and policies that apply to them under the 
general, kind of, FISMA Act of 2012, HIPAA, and their own cor- 
porate practices and procedures. They 

Mr. IssA. Right. But did you know about these problems and fail- 
ures before you awarded the contract? 

Mr. Chao. No, I was not a part of the contract award process 

Mr. IsSA. Okay, but now that you know about it, we’re working 
with an entity that apparently does not have the internal controls 
or track record, and yet you’re here today saying that, in a matter 
of days, they’re going to have a major role in major data; is that 
correct? 

So we’re working to get a group up to speed that doesn’t have 
a proven track record. My whole question to you is, in the award- 
ing of a contract, wouldn’t you need an assurance before — I mean, 
in other words, I’m not saying you couldn’t make them ready for 
prime time in a year or 2. The question is, where’s the pilot, 
where’s the proof, where’s the confidence that what has just re- 
cently happened won’t happen again? 

You know, I don’t normally have something in front of me that 
says the FBI has this problem and you’ve got a brand-new contract 
pursuant to Obamacare. 

Let me just hit one more point. 

Mr. Werfel, this committee has a broad set of investigations 
going on related to the organization you’re trying to fix, and today 
is one part of our concern. But you’re familiar with the 6103, what 
it means; is that correct? 

Mr. Werfel. Yes, sir. 

Mr. IssA. And 6103 was designed and passed into law to protect 
the American taxpayer from his or her tax records being looked at 
by outsiders or released; is that correct? 

Mr. Werfel. Yes. 

Mr. IssA. Was it ever intended to protect from Congress finding 
out when taxpayers have been abused? In other words, should 
there ever be a claim of 6103 when the victim themselves is asking 
for the release of the information? 

Mr. Werfel. Well, I think you’re raising a policy question in 
terms of how 6103 is structured. Right now, it’s specifically struc- 
tured to prevent us from sharing certain information except to the 
authorizing tax committees. Whether that should be expanded or 
not I think is a public policy discussion on the nature of 6103. But 
we follow the law, and the law requires us to restrict access, except 
to Ways and Means. 

Mr. IsSA. Right. But — and I’m going to finish, because I’m trying 
not to go any further over time. 

The fact is that if we don’t know the name and the Social Secu- 
rity number or Federal ID of an entity, we don’t know their ad- 
dress, and we don’t see financial information, that was the intent 



70 


of 6103. Today, your organization is working to say that, for exam- 
ple, knowing how many groups waited how long, how many groups 
are still waiting, those kinds of answers, and whether there is so 
much as one individual. 

And I’ll give you an example here today. There are the so-called 
test cases that we’ve had, two test cases. When we ask, is one of 
them still waiting, and we find out, yes, one of them is still wait- 
ing, people are saying, well — and I sent you a letter yesterday, with 
the other chairman and subcommittee chairman — we’re being told, 
well, that may be 6103. 

To know that a victim was isolated 3 years ago, pulled aside, and 
has never been given a “yss” or “no” answer, to know that they’re 
still not giving a “yes” or “no” answer, the claim that that’s 6103 
is a claim that, in fact. Congress and the public is not entitled to 
know that information. 

And I ask it that way for a reason. I understand another com- 
mittee can see certain information, but it’s the public that’s entitled 
to know. 

Isn’t it true that at least one entity that applied more than 2 
years ago still does not have a “yes” or “no” after the abuse that 
has become public that we’re all aware about as to “Patriot” and 
“Tea Party” organizations? 

Mr. Werfel. So, three quick responses. 

One, just to reemphasize, we do share the information, but the 
law restricts us from sharing it only with the chairman of House 
Ways and Means and the chairman of Senate Finance. 

Second, a taxpayer can, under 6103, authorize broader disclo- 
sure. They can waive their rights, and you can get the taxpayer 
to — say, “It’s important to make this publicly aware, but I need you 
to sign something,” and often taxpayers agree to do that. 

And, third, with respect to — ^you know, as I’ve testified before 
you. I’m concerned about the delay that we’ve seen in application 
packages in our Exempt Organizations unit. And perhaps in a dif- 
ferent setting, whether off the record or on, I can walk you through 
very important reforms that we’re making to our 501(c)(4) process 
to correct that from ever happening again. 

Mr. ISSA. Well, just for the record, if an organization says, we’ll 
waive our 6103 rights so the committee can see the individual 
records, the IRS’s current position is they won’t show us the emails 
where they conspired against or debated that, ultimately, we don’t 
need to see their records, they can hand us their records. We need 
to see who at the IRS was delaying and denying and dealing with 
it, and that’s individual emails with specificity as to those 
501(c)(4)s. 

Thank you. I yield back. 

Mr. Lankford. Ms. Maloney? 

Mrs. Maloney. Well, thank you. 

The chairman raised an important point, that a contractor re- 
ceived this contract on very sensitive information, an important 
one, and, according to his words, it doesn’t have a proven track 
record. 

You know, I want to know how that happened. Don’t you look 
into the backgrounds to make sure they know what they’re doing? 
I’d like to speak to Mr. Chao. 
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And, also, I would like you, Mr. Chao, to also talk about how dif- 
ficult it is to reconfigure the data hub that you are now raising and 
running if a State decides to assume more or less responsibility for 
an exchange. Are you adaptable? 

Now, I would like to put a little good news into the hearing 
today. The New York Times reports that the health-plan costs for 
New Yorkers is set to fall 50 percent. Now, this is great news for 
consumers, and it’s an extraordinary decline in New York’s insur- 
ance rates for individual consumers. 

So it shows the profound promise of the Affordable Care Act. But 
you can’t get to the Affordable Care Act if the computer system 
isn’t working. So this is a very clear thing, and I’d like to know 
more about it. 

But I’d like you to comment on this article and how your hub can 
address — I know that some States have not gotten their exchanges 
up and running. So how are you adjusting with States that don’t 
have it up and running? 

New York State, to its credit, has gotten it up and running, and 
it has great promise for consumers. 

So how are we making this configuration? And I guess, Mr. 
Chao, as the head of the hub, maybe you should be the one to an- 
swer. 

Ms. Tavenner. Congresswoman, with your permission, could I 
address the New York issue and the Serco issue? 

Mrs. Maloney. Sure. 

Ms. Tavenner. On the New York issue, we were obviously 
pleased to see that this morning. And I think it reaffirms what 
competition and transparency can do in a marketplace, and that 
really is what we’re doing in the Affordable Care Act, effective in 
October and beyond. 

On the Serco issue, notwithstanding what the chairman just 
brought to our attention, Serco is a highly skilled company that has 
a proven track record in this country and has done a lot of work 
with other Federal agencies. We are actually working with the U.S. 
corporation, and they are actually present in three States. And 
we — they were awarded through a full and open competition, so, 
obviously, they do have a track record with security and privacy. 

And I’ll turn it over to Henry to answer the other question. 

Mrs. Maloney. You know, but, also, can the system handle the 
varying degrees of astuteness or availability or readiness of dif- 
ferent States? 

Ms. Tavenner. Yes, and that’s where I think Henry comes in. 

Mrs. Maloney. Do you have a different system for each State, 
or is it all one central, big system? And is it government or private? 

Mr. Chao. The federally facilitated marketplace system is com- 
prised of several actual, you know, kind of, working pieces of sys- 
tem architectures that perform eligibility enrollment, QHP and 
plan management functions, financial management, you know, gen- 
erating payments for the issuers. 

The hub, as we mentioned earlier, is a routing tool. It affords the 
efficiencies that are needed for multiple points that are requesting 
the same information from authoritative data sources to connect to 
those data sources, and then enforced with a uniform service level. 
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That is a scaleable system that is government-owned, and — it’s 
privately contracted, but it is government-owned. It is 

Mrs. Maloney. Who will run it? Will the government run it, or 
will the private sector run it? 

Mr. Chao. It’s a combination of government, you know, staff and 
contracting staff that will staff an operations center that actually 
monitors its operations 24 hours a day. 

Mrs. Maloney. And where is it located? 

Mr. Chao. It’s in Columbia, Maryland. 

Mrs. Maloney. Uh-huh. 

Ms. Tavenner. And I would add that one of the advantages of 
having this hub is that, whether States or State-based exchanges 
or some type of partnership model or whether they default to the 
federally facilitated exchange, it’s transparent. It’s easy for us to 
make those changes. And that’s part of the 

Mrs. Maloney. And what is there to protect the privacy of the 
individuals’ health records? How do you protect that? 

Mr. Chao. Well, first of all, we don’t collect any health record in- 
formation or store health records. I think that’s an interaction be- 
tween a consumer that ultimately is enrolled in a qualified health 
plan and then, working with that health plan, accessing benefits 
and utilizing benefits, that that relationship affords the ability to 
collect and store and process. That’s a relationship between the 
consumer and the health plan. 

The ability for us to protect privacy of the individual is working 
with SSA and IRS and in enforcing the very stringent, you know, 
and rightfully so, 6103 provision and flowing that through, you 
know, Mr. Milholland and other chief technology officers and chief 
information officers from around the Federal Government, worked 
with as a group to develop what we call the harmonized privacy 
and security framework. 

Even though each agency operates under very strict guidelines, 
its own guidelines to operationalize FISMA and HIPAA and 6103 
in IRS’s case, we had to get together because this data via the hub 
was moving and being requested by multiple entities, including the 
State endpoints, that there are their own marketplaces. 

So we had to get together to make sure that the implementation 
of those security and privacy controls and operations was har- 
monized and are common across all the agencies and not dis- 
similar, as if we were implementing the program in different parts. 

So we got together early on to do this, to make sure that we have 
greater security and privacy, you know, kind of, enforcement and 
monitoring. And the bar is set by 6103 and the Privacy Act. 

Ms. Maloney. My time is expired. Thank you. 

Mr. Lankford. Mr. DesJarlais. 

Mr. DesJarlais. Thank you, Mr. Chairman. 

Ms. Tavenner, I have some questions for you, but first, Mr. 
Werfel, I just want to revisit a little bit of the dialogue that you 
had with Mr. Jordan earlier. 

He had asked you if Ms. Hall Ingram was in charge of the de- 
partment that oversaw the targeting of conservative groups, and 
what was your response to that? 

Mr. Werfel. My response is that Ms. Hall Ingram has specific 
ACA responsibilities, but there are other individuals within IRS 
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who have responsibilities at the same level, but Ms. Hall Ingram 
does play a coordinating role amongst our various ACA activities. 

Mr. DesJarlais. Okay. And one thing we’ve had, I guess, a hard 
time getting anyone from the IRS to say in multiple hearings that 
we’ve had is that the IRS was guilty of targeting conservative 
groups. 

You stated that you are the most senior accountable member at 
the IRS currently; is that correct? 

Mr. Werfel. That is correct. 

Mr. DesJarlais. Are you willing to go on record today and tell 
the American people that the IRS did target conservative groups? 

Mr. Werfel. I have said — I’ve testified previously that I believe 
the use of political labels to screen out applicants for increased 
scrutiny, inappropriate political labels, is equal to the term “tar- 
geting,” so I don’t dispute that. 

Mr. DesJarlais. All right. Well, it’s been hard to get someone to 
say that, and I know that moving forward into this healthcare law, 
that you have a credibility issue with the American people, and I 
think it’s very important that you be forthright, and I appreciate 
you saying that today when so many others have taken the Fifth. 

Ms. Tavenner, you had testified earlier about the preparedness 
of the CMS, and you’re feeling pretty comfortable about the ability 
to be ready on October 1st? 

Ms. Tavenner. Yes, sir. 

Mr. DesJarlais. Okay. I would like to submit for the record, 
without objection, Mr. Chairman, the data collection instrument 
from the GAO report from June 2013. 

Mr. Lankford. Without objection. 

Mr. DesJarlais. Okay. Ms. Tavenner, we have a document that 
was obtained that shows that CMS had only completed 20 percent 
of its work to establish appropriate privacy protections and the ca- 
pacity to accept, store and associate and process documents from 
individual applicants and enrollees electronically and the ability to 
accept image upload associates and paper documentation received 
from applicants and enrollees, so the fact that Obamacare became 
law in March of 2015, but yet it’s just a few months ago the admin- 
istration had completed only 20 percent of its work to establish ap- 
propriate privacy protections and capacity to accept, store, asso- 
ciate, and process documents from individual applicants, why 
would you say the administration failed to prioritize privacy protec- 
tion and data-sharing standards? 

Mr. Chao. I can answer that. Congressman. 

Mr. DesJarlais. Well, Ms. Tavenner, first, you go ahead, and 
then I have a question for you Mr. Chao. 

Ms. Tavenner. Well, first of all, I would say that GAO reports 
and other reports are taken of a snapshot in time, and a lot of work 
has been completed since that time, and I will let Henry speak to 
the details of that. 

Mr. DesJarlais. Okay. Mr. Chao, are you 100 percent finished 
establishing appropriate privacy protections? 

Mr. Chao. No, we are not. 

Mr. DesJarlais. Okay. If not, how much and when will you be? 

Mr. Chao. I think since the last report, we are probably — and 
this is a very kind of ballpark generalized roll it up kind of a fig- 
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ure, I would say with regard to the privacy and security, we are 
probably about 80 percent. 

Mr. DesJarlais. Okay. So the snapshot a couple of months ago, 
you’re at 20, and now you’re saying you’re at 80. Are you going to 
be 100 percent on October 1st? 

Mr. Chao. Yes. 

Mr. DesJarlais. Ms. Tavenner, do you feel that that’s reasonable 
that in 3 years you got to 20 percent, and now, in 75 days, we are 
going to get to 100 percent? 

Ms. Tavenner. Yes. 

Mr. DesJarlais. Okay. In — also, there’s 25 percent of the work 
to establish the adequate technology infrastructure and bandwidth 
to support all the activities with respect to the exchanges. Again, 
why did the Administration fail to prioritize this sooner? I’ll ask 
the same question, Ms. Tavenner. 

Ms. Tavenner. I don’t know that it’s a failure to prioritize. There 
is a certain workflow that has to — actually, first you have to put 
the regulations in process, then you start to develop the product 
from the regulations, and this is just the work in progress as any 
complicated project. We are now within the 90-day period of com- 
pleting the work. 

Mr. DesJarlais. Mr. Chao, the CMS document given to GAO 
says that the estimated completion date establishing an adequate 
technology infrastructure and bandwidth was July 1st, 2013. Did 
you meet your deadline for completion of this task? 

Mr. Chao. We have. It’s a constant changing target because the 
target is actually 

Mr. DesJarlais. The deadline is moving. 

Mr. Chao. No, the target is October 1st, and we make adjust- 
ments as we go to make sure that that target of October 1st is not 
missed. As of this month, all the infrastructure and the required, 
you know, hardware, software capacity, all of that is available and 
up and running. The specific application software, such as the “My 
Account” that I talked about earlier, the enrollment and eligibility 
pieces, the loading of the QHP information to process in enrollment 
and a payment to an issuer, that is an ongoing process. All that 
code and those databases are still being built throughout the sum- 
mer. 

Mr. DesJarlais. Okay. So both of you are testifying today that 
these shortfalls that are in the report that I mentioned are going 
to be 100 percent complete on October 1st? 

Mr. Chao. Correct. 

Mr. DesJarlais. Ms. Tavenner? 

Ms. Tavenner. Yes, sir. And we certainly will have mitigation 
strategies. I think someone mentioned earlier, and in our opening 
comments, that we will be prepared. We will start October 1, and 
we will certainly have hiccups along the way, and we are prepared 
to deal with this. 

Mr. DesJarlais. Okay. Very quickly. When did you learn that 
the employer mandate would be delayed? 

Ms. Tavenner. When did I personally? 

Mr. DesJarlais. Uh-huh. 

Ms. Tavenner. On June 24th or June 25th. 
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Mr. DesJarlais. Why did the President wait till July 2nd to an- 
nounce that? 

Ms. Tavenner. I don’t know. I was not part of that discussion, 
but I actually was made aware that it was being considered on 
June 24th. 

Mr. DesJarlais. All right. 

I yield back, Mr. Chairman. 

Mr. Lankford. Thank you. 

The ranking member of the full committee, Mr. Cummings. 

Mr. Cummings. Thank you very much, Mr. Chairman. 

I want to thank you all for being here. I want to thank you for 
what you do for the American People. 

Mr. Werfel, I want to pick up on where Chairman Issa was going 
to take it to a little further. I would like to ask you about the ongo- 
ing investigation into the treatment of Tea Party applicants for tax 
exempt status. During our interviews, we have been told by more 
than one IRS employee that there were progressive or left-leaning 
groups that received treatment similar to the Tea Party applicants. 
As part of your internal review, have you identified non-Tea Party 
groups that received similar treatment? 

Mr. Werfel. Yes. 

Mr. Cummings. We were told that one category of applicants had 
their applications denied by the IRS after a 3-year review; is that 
right? 

Mr. Werfel. Yes, that’s my understanding that there is a group 
or seven groups that had that experience, yes. 

Mr. Cummings. As I understand it, last week, the IRS was pre- 
pared to make a document production to the committee. And by the 
way, this is a request from the chairman, and those documents 
would have shown other categories of applicants, categories in ad- 
dition to the Tea Party groups we have been focussing on today. 
Before I go any further, is that right? 

Mr. Werfel. Yes. 

Mr. Cummings. I understand that our committee does not get ac- 
cess to information about specific taxpayers. I think it’s 6103, is 
that right, those — there are certain that prevent us from getting 
certain information, what Mr. Issa was talking about earlier gen- 
erally. 

Mr. Werfel. That’s correct. We’ll make certain redactions if we 
believe that the information would be too — have too much informa- 
tion so that you could zero in on a specific taxpayer, so we’ll make 
those redactions. 

Mr. Cummings. I understand. Under 6103 of Title 26 of the 
United States Code, the IRS cannot reveal specific taxpayer infor- 
mation. In order to make these determinations, and this is going 
to what you just said, the IRS has a — have career employees who 
are experts, this is what they do. 

Mr. Werfel. Yes. 

Mr. Cummings. In determining what is covered by the statute; 
is that correct? 

Mr. Werfel. That’s correct. 

Mr. Cummings. And in this case, these experts determine that 
the IRS could provide this information to the committee. They said 
the documents did not reveal specific taxpayers but instead re- 
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ferred to categories of groups just like the Tea Party groups; is that 
right? 

Mr. Werfel. Yes, that’s correct. 

Mr. Cummings. So, based on this established process, we should 
have received that information last week. And by the way, to his 
credit, the chairman has been very aggressive in going after docu- 
ments, but we did not receive that information. Instead, I under- 
stand that the Inspector General intervened. Let me say this again. 
It’s my understanding that the Inspector General intervened per- 
sonally. 

Now, Mr. Werfel, my question is, can you tell us what he did, did 
he call you, and what did he say? 

Mr. Werfel. Okay. The 

Mr. Cummings. In other words, we are being denied, this com- 
mittee is being denied documents that we have requested. Let me 
finish. And the chairman, to his credit, has been extremely aggres- 
sive in trying to get documents, and I have been accused, by the 
way, of obstructing the investigation, which is totally ridiculous. 

I want the documents. Now, tell me what the IG said that pre- 
vents our committee, that our honorable chairman, Mr. Issa re- 
quested, what did he say to you to cause us not to be able to get 
the documents after your experts told us we should have them? 
Can you tell us what — what that’s all about? 

Mr. Werfel. Yes. We were imminently going to produce a docu- 
ment in an unredacted form that would indicate the identity of a 
grouping of entities that we felt were similar in kind of scope as 
Tea Party in terms of its grouping, so that it wouldn’t be able — 
you wouldn’t be able to identify a particular taxpayer because the 
grouping name was so broad. 

And he reached out, when he learned that we were about to 
produce this information, and expressed concern and indicated a 
disagreement with our internal experts on whether that informa- 
tion was 6103 protected or not, and out of an abundance of caution, 
the IRS decided to redact that information until we could sort 
through with the IG his position and understand why it’s different 
from ours. And we’ve had subsequent conversations with him 
where we have reasserted our position that the information should 
not be redacted, but we have not reached resolution with him at 
this point. 

Mr. Cummings. I don’t understand. I thought that the career offi- 
cials at the IRS, the officials who do this for a living day after day, 
hour after hour, already determined that it was okay for the IRS 
to produce these documents to the committee that Chairman Issa 
requested. This seems very strange, Mr. Werfel. I know you just 
started, but has this ever, to your knowledge, happened before, the 
inspector general personally intervening to prevent disclosures to 
the Congress of the United States of America, have any of your 
staff members ever heard of this happening before? 

Now, you’re surrounded by folks. You can look around, and they 
may tell you something different, and if they’ve got — if they’ve got 
some other answers, if they haven’t been sworn in, Mr. Chairman, 
I ask that they be sworn in so we can know of these exceptions. 
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And by the way, Mr. Chairman, I just want the same amount of 
time that Chairman Issa was given. It was a total of 10 minutes, 
with unanimous consent, please. 

Mr. Werfel. I just don’t know the answer to that question. I per- 
sonally am not aware of any similar situation, but we can take that 
question back and do a broader inquiry amongst the IRS leadership 
and other professionals and get an answer. 

Mr. Cummings. I ask that you please have that answer to me, 
if you can, by tomorrow morning. We’re going to be seeing the in- 
spector general tomorrow, and I want to make sure that I do not 
prejudge him. I do not want to put anything out there to accuse 
him of anything and then go searching for facts. I simply want the 
truth so that we can restore the trust. 

Our interest is in getting as much information as possible. So, let 
me make sure I understand this. If the inspector general with- 
draws his objection, will you produce that information to the com- 
mittee that Chairman Issa requested? 

Mr. Werfel. Yes. 

Mr. Cummings. Now, let me say something else. Ms. Tavenner 
and Mr. Chao, I heard Mr. DesJarlais’ questions, and as I sat here 
and I listened to my good friend Mr. DesJarlais and he talked 
about, at one point, you were at 20 percent with regard to the pri- 
vacy protections. 

And then I think you said, Mr. Chao, and correct me if I’m 
wrong, you are now at about 80 percent. 

And then you and Ms. Tavenner agreed that by October 1st you 
would be at 100 percent, and if there were any problems or hic- 
cups, in your words, Ms. Tavenner, you were prepared for that; is 
that correct? 

Ms. Tavenner. Correct. 

Mr. Cummings. Well, I stop here for just a moment to thank you 
for doing what you do to prepare for something that is already the 
law. Although we are getting ready to vote on it, by the way, for 
the 38th time, it is the law, and you all have a duty, and I am so 
glad that even with all the chatter, you have to stay focused, you 
have refused to be distracted and you made sure that the American 
people — that the Affordable Care Act and the part that you all 
have to play in that, that you are prepared to do that, and I want 
to congratulate you. I know quite often you get negative comments, 
but the idea that you all took a monumental stance, and I want 
to say this to the other IRS employees, we appreciate it. 

Now, let me say one last thing in any last 1 minute. I’ve said it 
from this dais before and I will say it until I day: This is the 
United States of America. Every single person on this dais, if they 
have ever hired anybody and ran anything, has fired somebody, 
and just because we have some bad apples that don’t do the right 
things does not mean that we stop operating. It means that we 
take the bad apples out, and we continue forward. 

This whole idea that there was a problem in the IRS and there 
are ongoing problems and the problems that you are trying to 
straighten out, Mr. Werfel, to your credit, we should not then sud- 
denly wave a white flag and say, oh, we can’t carry out the Afford- 
able Care Act. This is America. We are better than that, and I 
know that you know that, and I get tired of people just because 
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there are problems, suddenly they said, oh, no, we can’t carry out 
the law. No. We are better than that. And so, I want to thank you 
all and may God bless. 

Mr. Lankford. Two quick notes here, Mr. Werfel. I know you 
have a hearing at 1:00 today. We’ve been at this for a little over 
2 hours this morning. I know you need to be excused pretty quick- 
ly. You have time for one more question, or do you need to go 
ahead and scoot out now? 

Mr. Werfel. No, absolutely. Please. 

Mr. Lankford. Okay. It is — Mr. Woodall is up. 

Mr. Woodall. Thank you, Mr. Chairman. 

And thank you, Mr. Werfel, for spending a little more time. I ac- 
tually had a couple of questions, too, because I think you’re a very 
serious public servant. I’ve been a public servant in a couple of dif- 
ferent capacities myself, and I think it’s fine for us to disagree 
about the issues. I think you have to be serious about the work. 

And I appreciate Mr. Cummings’ comments about you had a re- 
sponsibility, Ms. Tavenner, you had a legal responsibility, and you 
carried it out, and he’s tired of hearing excuses for why it is we 
can’t get things done. 

My question to you, Mr. Werfel, is, that’s what we saw on the 
Treasury blog. We just can’t get things done. Ms. Tavenner says, 
we were only at 20 percent a month ago, but we are going to make 
it happen by October 1st. 

The President seems to have decided or the Secretary seems to 
have decided that, no, we just can’t get things done, no doubt to 
the frustration of my friend from Maryland. 

We’ve got a bill on the floor this week that makes that statutory 
change, taking the Administration at its word that they can’t get 
it done, we make that statutory change from 2014 to 2015. Several 
times during this hearing, folks have said, we just have to follow 
the law. 

In your discussion with the Chairman about 6103, you said, you 
know, there may be some policy discussions about 6103 that we 
ought to have, but we at the IRS, we just follow the law. Mr. 
Cummings applauding CMS for following the law, doing what was 
required by law. Why is it that we don’t have Treasury’s support 
for making a statutory change to the law rather than just doing 
things that we would like to do administratively? 

I think one of the real challenges we have is we don’t have any 
need to work together any longer. We want to do something, we 
just do it here on Capitol Hill. You guys, the Administration de- 
cides you don’t like the way things are going, you just do something 
different. Why is it that it would not be better for the public serv- 
ants who have to implement these laws, for us to actually change 
the law rather than do it through blog posts of administrative deci- 
sions? 

Mr. Werfel. The challenge that I have. Congressman, and I ap- 
preciate the question, is that the role that the IRS has in relation- 
ship to Treasury is they make determinations on policy, they work 
on whether we are going to support or oppose and how we are 
going to work with Congress on the laws itself, and we really are 
all about administration. So, from my vantage point, I can answer 
questions for you on the decision that the Treasury made and how 
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it impacts the IRS’ ability to implement the ACA, but in terms of 
the — whether it should be legislatively incorporated is something 
I’d have to defer to Treasury. 

Mr. Woodall. I understand your challenges in that and respect 
it. I think about what Mr. Cummings has said about applauding 
the good work of IRS employees across the country and a few bad 
apples. I mean, I stay regularly at town hall meetings. You all have 
a horrendous job, and the job that you have that is made so horren- 
dous is made so horrendous by the laws that we pass here on Cap- 
itol Hill. I feel a great burden for the responsibility we put on you. 

I guess what I’m asking is, we just perpetuate the frustration 
with IRS employees when we put them in untenable positions. And 
putting the IRS in the untenable position of having statutes that 
require laws to be enforced and saying, but no, we are not going 
to enforce those laws simply perpetuates the negative stereotypes 
that go on out there today. So, understanding that you might not 
be able to speculate on why those decisions were made at Treasury, 
wouldn’t you push up the ladder, hey, here’s the Congress that 
wants to work with us to get this done in a statutory way for the 
House, the Senate, the President, to come together and do exactly 
what Treasury seems to be asking for, why can’t we come together 
and do that? Why won’t you push that message up the chain? 

Mr. Werfel. Well, without particularly commenting on this 
issue, I think in general what the IRS does is we — we do have a 
guiding principle that the simpler the tax code, the simpler the 
laws are, the more clear they are, the more we are going to be able 
to administer it then effectively and efficiently. And so, you know, 
we have that guiding principle, and then as we deal with different 
legal issues that arise. Treasury will consult with us on the admin- 
istrative aspects of them. 

Mr. Woodall. I understand that, and I absolutely agree with 
that. I would say, “shall begin after December 31st, 2013” is pretty 
simple. I would say that subsidies shall apply to State-based ex- 
changes is pretty simple. We’ve done the best we can in terms of 
simple law, and folks have gone and reinterpreted what was very 
simple law, and that’s the frustration to me as a legislator. 

I hear what you say to the chairman, 6103 is clear, it’s black let- 
ter law, Mr. Chairman, we can’t avoid it, and I’m thinking, for 
Pete’s sake, you decided that you don’t like the mandate timing, so 
you’ll do something different there. You decide you don’t like the 
subsidy implementation, so you’ll do something different there. 
These are very serious men, the chairman and the ranking mem- 
ber, you could just decide, you know what, 6103, it says. Finance 
Committee and Ways and Means, Chairman, but it probably should 
have included the oversight guys, too, probably should have. The 
subsidies probably should have done the Federal exchanges. The 
deadline probably should have been a year out, but you don’t. 

There is a lot of lack of confidence in America in both the admin- 
istration and the Congress these days. We have opportunities to 
work together instead of working against each other, and it frus- 
trates me that even on something as simple as a date change, we 
can’t even take advantage of that opportunity to restore faith in 
the people’s government here in Washington, and I thank you all 
for being here. 
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Thank you, Mr. Chairman. 

Mr. Lankford. Thank you. 

Mr. Werfel, I know you’ve got to scoot out of here and get ready 
for the next hearing. Thank you for being here. 

Mr. Milholland, will you be able to remain or 

Mr. Milholland. I can remain. 

Mr. Lankford. That would be great if you can, so if you need 
to answer for IRS. 

Mr. Perry. 

Mr. Perry. Thank you, Mr. Chairman. 

Ladies and gentlemen, thank you very much for being here. We 
understand on this committee that — and in Congress, that you 
have a duty to perform and you don’t always necessarily agree with 
what we send out of this place, but you do your duty and you per- 
form it as best you can. We appreciate that. We also have a duty 
as well, and I would take some exception with the statement that 
our duty is to make sure this works. 

We have a duty to our constituents to make sure that we echo 
their concerns and ask questions on their behalf, and on my part, 
a lot of my constituents are concerned and skeptical about this law 
and the contents therein, and so I want to ask some questions on 
their behalf. 

I guess, Mr. Chao, I’ll start with you, because I’m not really sure 
who else to start with. Who — is there one person? Who is the 
charge — or who will be in charge of the data hub? 

Mr. Chao. In CMS, we typically have a combination of lead pol- 
icy, what we call business owners of the hub. The administrator ul- 
timately is accountable and responsible for any of the technology 
that we implement to support the programs, but the day-to-day op- 
eration is governed by a board of business and technical leadership 
in the agency. 

Mr. Perry. In CMS or the IRS? 

Mr. Chao. There is a CMS and as well as a cross agency 

Mr. Perry. So it’s a bunch of people who will never have, in my 
opinion and I think in a lot of American people’s, because of that, 
there is never really going to be true accountability because some- 
thing happens, everybody’s going to point to everybody else. I 
mean, it’s a — how many people are we talking about? Do you 
know? I mean, you’re — you’re in charge of some of this stuff. Do 
you know? 

Mr. Chao. I think what it boils down to is there is only less than 
a dozen people who are truly 

Mr. Perry. Less than a dozen, okay, and some from our — there 
are five agencies. Somebody from the five agencies, a person from 
each within the five agencies that are getting data in, taking data 
out? I mean 

Mr. Chao. Correct. 

Mr. Perry. Okay. So, I mean, you are going to know my Social 
Security number, my email address, my home address, my finan- 
cial information, whether I ever got a DUI, you are going to 
know — this — this portion of government, the Federal Government 
is going to know literally everything about me that — and every- 
thing about every 300-plus million Americans that they find per- 
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sonal and are concerned about having their neighbors know about, 
and so they’re right, I think, to be concerned. 

Who determines what questions are asked? And I know you kind 
of alluded to, at least in one part, that you are not going to have 
personal information or personally identifiable information, but in 
another sense, I thought you said that you’re going to know the 
home address, the email address, ethnicity. Who — who determines 
the question? Why is ethnicity important? Why is whether my wife 
is pregnant important? And when does she have to report it? Or 
when do you find out? What do you do with that? 

Mr. Chao. We make a proposal under the Paperwork Reduction 
Act, in which actually the public and Congress and anyone with 
the public at large can comment on the questions that we’ve asked, 
that we’ve included, that we felt essential to be part of that stream- 
line application; that’s online to apply for affordable care. 

Mr. Perry. So you make a recommendation, and we can provide 
comment, and what happens with our comments when we object? 

Mr. Chao. I think similar to rulemaking, we factor those com- 
ments in and categorize them and take a serious look at the policy 
and legal angles and technical implementation angles of it and we 
try to accommodate the kind of the very, very huge concerns that 
we get back under 

Mr. Perry. So, you’re with CMS. Why is ethnicity important? 
Who is it important to? 

Mr. Chao. I am on the IT side. I cannot answer. 

Mr. Perry. Yeah, but you’re — that’s the thing. You are one of 
these guys that are at the top. Are you one of the less than a dozen 
people on the committee in charge of the data hub? Are you one 
of those people? 

Mr. Chao. Yes. 

Mr. Perry. Okay. So if you don’t know this, who does? Who 
knows the answer, and shouldn’t you know it? 

Mr. Chao. I think within my purview, I don’t try to question 
every detailed policy that I am asked to implement. I am more con- 
cerned about capturing the requirements to make sure the system 
is reflecting 

Mr. Perry. But you are one of the people that weighs in on 
whether it’s important or not for your organization and what you 
do, and this is the American people’s personal information, so it 
needs to be important to somebody. If everybody took your opinion, 
nothing is important to anybody as long as the next guy said it 
was. I mean, the fact that you didn’t know about this Serco. I 
mean, do you think the American people believe or know right now 
that all this information about them is going to be handed off in 
some form to private contractors? Do you think they know that? 

Mr. Chao. I think they will know because they are in charge of 
consenting to that release. We — when you 

Mr. Perry. So, on the release, it’s going to say, “Fm giving my 
information to CMS,” or “Fm giving my information to Serco”? 

Mr. Chao. It’s actually the process. So if you’re in that inconsist- 
ency period, you are giving consent that we will be handling any 
issues that you have. 

Mr. Perry. You’ll be handling it, but it doesn’t say that your in- 
formation will be handled through us via contract by a private or- 
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ganization who’s owned by a British company or by MasterCard or 
whoever the contractor happens to be at that time. 

Ms. Tavenner. Let me try to help answer some of these ques- 
tions because I think the accountability obviously stops with the 
CMS administrator, and that’s me, and we do have business own- 
ers, and Henry is responsible for the IT implementation. 

Let me start with your question about health information and a 
reminder that the hub does not store any information, but it does 
not even ask for health information. The only time that pregnancy 
becomes an issue is, obviously, if someone is qualifying for Med- 
icaid and there are benefits, they are eligible for Medicaid and 
maybe they’re pregnant so it varies State By State, so that would 
be the reason for the pregnancy question. 

Much of the information that we ask is required by law, and if 
you’ll remember, there a couple of months ago, we went from a long 
application process down to what we are calling a 3-page applica- 
tion for an individual who is applying on the marketplace. But once 
you start to get inside, whether it’s Medicaid or CHIP, there may 
be additional questions that we need to answer in order to help 
someone get eligibility. That’s usually done at the State level. 

There is no health information. When we work with Serco, Serco 
is helping with enrollment and eligibility, so there is data that we 
store around things such as your email address, such as your 
phone number, such as Social Security, but part of that is stored 
so that if you have a dispute about whether or not you were eligible 
or you have an appeal, we have that information, but it’s not kept 
on the hub. 

Mr. Perry. It’s stored somewhere. 

Ms. Tavenner. Yes. 

Mr. Perry. Mr. Chairman, with indulgence, one last question, is 
for Mr. Milholland. We heard earlier that there would be penalties 
for folks that had breached the confidence of the American people 
by providing that information to folks outside, tax information, so 
on and so forth, you work at the IRS. Let me ask you this, regard- 
ing the information, regarding targeted political organizations that 
we recently learned about, has anybody been penalized at this 
point that you know of in your organization? 

Mr. Milholland. The only thing I am aware of is people are no 
longer in the jobs they were in. 

Mr. Perry. Have they lost their pay? 

Mr. Milholland. That, I do not know. 

Mr. Perry. Thank you, Mr. Chairman. I yield back. 

Mr. Lankford. Mr. McHenry. 

Mr. McHenry. Thank you, Mr. Chairman. 

Mr. Duncan, in your March report of this year, TIGTA gave no 
indication there would be problems with the IRS’ implementation 
of reporting requirements; is that correct? 

Mr. Duncan. That’s correct. 

Mr. McHenry. Okay. So does that include section 6 — 6055 that 
requires insurers to report about the coverage that they provide? 

Mr. Duncan. There are several information requirements from 
insurers, employers, from the exchange itself on a monthly and an- 
nual basis, so all that information will flow to the Internal Revenue 
Service and has to be processed, maintained and kept. 
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Mr. McHenry. But you had no issues with that. 

Mr. Duncan. That is still not really done until 2014 will that 
data start to flow to the IRS. 

Mr. McHenry. Okay. But does this include section 6056 that re- 
quires employers provide information on the health insurance they 
provide, so 

Mr. Duncan. We are very concerned about that with the recent 
change and the recent 

Mr. McHenry. No, no, but prior to that. We’re talking about 
your March reports. I mean, because you’re there to make sure 
that we’re, you know, the IRS is moving along in the path here. 

Mr. Duncan. That’s correct. 

Mr. McHenry. Right. And so, in your March report, you said 
they didn’t have any issues with this process of getting that infor- 
mation, right? 

Mr. Duncan. That was the information that they were collecting 
for the income and family size veriflcation. 

Mr. McHenry. Right. That’s what I have. 

Mr. Duncan. And the overall plan that they had in place looked 
good. 

Mr. McHenry. Looked good. Okay. So, you know, when we see 
the President announce this change, right, on employer mandates 
and then we see this other movement in terms of reporting require- 
ments, right, which you have the business mandate, then the re- 
porting requirements that the President then, through this admin- 
istrative procedure here, they’ve said, well, we are just not really 
going to verify very much, right, but is there in basis, basis in prac- 
tice, right, saying that they really don’t have that capacity, I mean, 
according to TIGTA? 

Mr. Duncan. In accordance with what we reviewed in the appli- 
cation that we looked at the IRS and our understanding, as of 
today, is the IRS will continue to provide to the exchanges through 
the HHS hub 

Mr. McHenry. All right. 

Mr. Duncan. The income and family size information. Now, we 
did not see, in our review, that there was a major change in the 
IRS need or requirement to provide that information if it’s avail- 
able. 

Mr. McHenry. Yeah, but I mean, this is the veriflcation process 
to ensure that people are complying with it, right? 

Mr. Duncan. Yeah. I just want to make sure, though, that we 
understand that the IRS information is only one set of information 
that the exchange will use in looking at and determining what the 
flnal income and family size data should be. 

Mr. McHenry. Okay. So let’s run a scenario here. 

Mr. Duncan. Uh-huh. 

Mr. McHenry. Okay. So, you know, in a state that doesn’t ex- 
pand Medicaid, for instance. North Carolina being one, and I rep- 
resent a district in North Carolina. A man who earns $15,000 — I 
am just going to walk through this scenario so people have an 
idea — would be eligible for a $3,400 subsidy if his employer does 
not extend an offer of affordable coverage to him or her, for in- 
stance. And so in 2014, with the Federal Government, would they 
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be able to verify whether this individual had an offer of affordable 
coverage at work? 

Mr. Duncan. I assume the HHS or the exchange at the state 
level would be in a position 

Mr. McHenry. We don’t have an exchange at the State level. 

Mr. Duncan. Then the Federal exchange would have to be doing 
that, and they would ask for information from the Internal Rev- 
enue Service as well as other locations. 

Mr. McHenry. Okay. So, Ms. Tavenner, if an individual fails to 
report that he has an offer of affordable employer-sponsored insur- 
ance, right, will he receive a subsidy of that $3,400? 

Ms. Tavenner. When an individual does do the self-attestation, 
they would verify whether or not they had employer-sponsored in- 
surance. 

Mr. McHenry. Right, right, so they’re going to say, hey, here’s 
the deal, didn’t get it, give me $3,400 bucks, subsidy. So, you know, 
if I’m verifying for myself, right? 

Ms. Tavenner. If you’re verifying for yourself and you say that 
it’s available and you didn’t get it, you will not be eligible for the 
tax credit. And a reminder 

Mr. McHenry. Right. But who’s going to say I’m not eligible for 
free stuff? 

Ms. Tavenner. So, I’ll remind you that you signed, when you 
complete the application, that this is under law, perjury, okay, so 
there are consequences to an individual who is not truthful on their 
application. 

Mr. McHenry. So what kind of enforcement are you going to 
have on that truthfulness? 

Ms. Tavenner. Obviously, we would follow law. 

Mr. McHenry. Right. But you have to have people to execute the 
following of the law. Are you going to ring them up and say, hey, 
by the way, were you honest then this self-attestation? 

Ms. Tavenner. Well, we will look at ways to verify. 

Mr. McHenry. Oh, you’ll look at it. Okay. We are talking about 
this going into effect this fall. We wanted something a little more 
than a look for. What is your process to verify that what they said 
was in fact true? 

Ms. Tavenner. So, we — there are a couple of ways. Obviously, 
we will verify first with the IRS, with SSA, information that’s 
available. If we are not able to get everything we need there, we 
will work with private commercial products, such as Equifax. 

Mr. McHenry. So, Equifax would have knowledge on whether an 
employee of my brother’s business was offered a health insurance 
plan that was commensurate with the requirement under Eederal 
law? Equifax would have that knowledge? 

Ms. Tavenner. We are looking at a process and I’ll be happy to 
get back to you with those details, so I need to get — walk you 
through the process, and I’m happy to. 

Mr. McHenry. I would think you would sort of think this 
through with this big announcement that we are going to waive the 
employer mandate, right? 

Ms. Tavenner. We are going 

Mr. McHenry. But you leave the individual mandate, so people 
are required, under compulsion of the law, right, which apparently 
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you haven’t thought about the enforcement of that law, which is 
sort of interesting, and maybe sort of liberating for some people, by 
the way, that you still have it on the law, but you don’t have any 
enforcement mechanism. 

Ms. Tavenner. And I’m happy to get back with you of that proc- 
ess. 

Mr. McHenry. Well, I would hope you would get back with us, 
and I hope you would think more deeply about this. When you tes- 
tify to Congress about something this important, that you would 
have taken a little bit of time to think through that verification 
process and that enforcement mechanism that you have enormous 
authority, as well as the IRS, to enforce it. 

And so, with that, Mr. Chairman, thank you for the indulgence 
of time, and I didn’t get to the fullness of the questions I had, but 
this — this is outrageous that the non-answer that I was given. I ap- 
preciate the chairman’s work on this. 

Mr. Lankford. Ms. Tavenner, about how much time do you 
need, do you think, to be able to come back on his question? 

Ms. Tavenner. Yes, a few days. 

Mr. Lankford. A few days. Great. Thank you for that. 

Mrs. Black. 

Mrs. Black. Thank you, Mr. Chairman. 

I want to thank you and the committee members for allowing me 
to sit on the committee and be able to ask questions to this very 
important issue. I want to thank all of you for being here to testify 
as well. 

This is something that is really very near and dear to my heart 
because I come from a State called Tennessee where we had 
TennCare. We had the pilot project. So I’m very familiar with a lot 
of what’s going on. 

As has been reported by one of the members of this committee, 
there has been a lot of information out there that I have put out 
to say, there are questions that need to be answered, and I’m glad 
that you’re here today to answer those. 

I do want to go back to say that it is very concerning that there’s 
a conflict. There’s a conflict between what you say and what we 
read, and I want to start with the first of those, because I want 
to go back to a system of records notice, and it says, and I quote, 
records are maintained with identifiers for all transactions for a pe- 
riod of 10 years after they are entered into the system. Records are 
housed in both active and archival files in accordance with the 
CMS data and document management policies and standards. 

It has been said over and over and over again by you, Ms. 
Tavenner, that these records are not kept. 

How is it that we see in the systems of records notice, this is 
what we are being told, and yet you say — and this is why there is 
a lack of confidence in the people of this country, is that we don’t 
have confidence that what we hear and what is actually there 
matches up. 

Ms. Tavenner, can you address that? 

Ms. Tavenner. Yes, Congresswoman, I can. I have said that we 
do not store information in the hub. I have also said, and as obvi- 
ous by what we supplied in our systems of record notice, that we 
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do store information on the marketplace, which is separate from 
the hub. 

Mrs. Black. So let’s be very, very clear that this information is 
being stored. When we continue to say, oh, this information is not 
stored, I think there, that people then go, oh, you’re wrong in say- 
ing it’s stored. It is stored, and we have documentation. 

Now, let me go to the second bullet. 

Ms. Tavenner. Well, as I said in my opening testimony, there 
are two systems, and it’s important to understand that one is the 
hub, which is a router, and the other is actually 

Mrs. Black. Which is a router that has a lot of people inputting 
information and taking out information, so I’m still not confident 
that what’s been said here today, that all of this is protected be- 
cause I have additional questions, which I know I won’t have time 
to get to, about what are the background checks? Who will have 
that access? But let me also go to the next question on this, be- 
cause it was referenced that there is no personal health informa- 
tion that is collected, and I want to go to a documentation that was 
put out, I guess, about 2 weeks ago, and this is — I am going to the 
section of verification of eligibility for minimum essential coverage 
other than through an eligible employer-sponsored program, and I 
am in the section, and I’ll give you the number of that section, 
155.320. 

So, here is what it says, and I am reading out of the fourth para- 
graph in here that says, “finally, we propose and added a para- 
graph to provide consistent with 45 CFR,” and there is a lot of 
other. I won’t go through that, and this is a quote, “a health plan 
that is a government program providing public benefits is expressly 
authorized to disclose personal health information, as that term is 
defined in 45 CFR 160.103, that relates to eligibility for or enroll- 
ment in the health plan to HHS for verification of applicant’s eligi- 
bility for minimal essential coverage as a part of the eligibility de- 
termination process for advanced payments for premium tax cred- 
its.” It specifically says in here that they are expressly authorized 
to disclose private health information. 

Can you speak to this? 

Mr. Chao. I can answer this. You know, something — something 
like a birth date that exists in one particular context can be treated 
very differently and called and wrapped around, for example, per- 
sonal health information when it appears in another contract — con- 
text, such as your health record. I think the minimum essential 
coverage, the intent is to check other sources of potential coverage 
to determine whether that coverage would be duplicative, supple- 
mental or contradictory to what the law has indicated that you can- 
not be in an exchange or a marketplace benefit receiving a pre- 
mium tax credit and enrolled in something else that’s also a gov- 
ernment program. 

So, that information, when we check that, if you look at it in the 
context of how it’s delivered to us, for example, from VA, it is part 
of the health record, but it is just the date of eligibility. We don’t 
hold any — ^you know, it’s is a vernacular, you know, kind of vocabu- 
lary contextual kind of issue, so it’s not clinically related. It is just 
a check on the status of your eligibility. 
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Mrs. Black. Well, I hear what you’re saying there, but this spe- 
cifically says, is expressly authorized to disclose personal health in- 
formation. 

Mr. Chao. Right, but I think you were 

Mrs. Black. Well, I am going to need to get — and we can have 
another conversation here, but I am going to need to get assur- 
ances that when you have an expressed authorization to disclose 
personal health information, that we give assurances to our con- 
stituents, my constituents that this information is not going to be 
shared with people that shouldn’t be getting it, and I don’t still 
have assurances in what I am seeing here. 

I think, Mr. Chairman, there needs to be many more of these 
hearings to — ^both for those Congressmen that are concerned about 
this as well as more importantly my constituents in the public who 
are really concerned about what has happened most recently with 
the IRS and how information has not been protected and people 
have been targeted, and likewise, I think there are many more 
questions about navigators and what kinds of background checks 
they have, what kind of training they had, this is something that 
certainly needs to be talked about a whole lot more. 

And again, I yield back. I know my time is up. Mr. Chairman, 
once again, thank you for allowing me to be here at this committee 
hearing. 

Mr. Meehan, [presiding.] Okay. I thank the lady, and I thank 
the panel. I know we have gone through a lot of questioning. There 
is just a few of us have some follow-up questioning, and you will 
indulge me on that. I certainly — I mean, I want to echo the point 
that was just made by the gentlelady from Tennessee. I mean, this 
is not only the idea that it’s within the regulations that you pub- 
lished yourself, but the concept that there are certainly cir- 
cumstances where a lot of that can be done without the consent of 
the individual whose records they are. I mean, this is — and I know 
it goes to contractors, and nobody knows who those contractors are 
at this point in time. And we are 75 days away from implementa- 
tion and you can’t identify with specificity who it is who are some 
of the contractors and what kind of things have been done, but I — 
to assure the credibility of their participation in the system. 

But you talked about harmonizing, Mr. Chao and others, the 
work that’s going to be done among the various agencies in this 
database, and, therefore, you are going to pull in the activity. And 
I know the IRS has a system which has been effective or at least 
the more effective, but I look at the agency score cards, and I am 
talking about harmonization, and this is the agency Federal de- 
partment’s and agency’s cross priority goals in cybersecurity for the 
second quarter of 2013, so this is the most recent one. And when 
we begin to talk about those who are on the scorecard, two of the 
poorest performers are HHS and the Social Security Administra- 
tion, both performing under the requirement that the executive 
branch will achieve 95 percent implementation of the cybersecurity 
capabilities. 

So who’s going to be, are we going to rise to the level of the IRS, 
or is it going to be down to the lowest common denominator with 
respect to the HHS and Social Security Administration 
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Mr. Chao. I think, working with IRS, certainly I mentioned ear- 
lier, that they’ve set the bar for security and privacy of protected, 
you know, information. You know, specifically in their case, under 
6103 and based upon our experience, you know, working with sys- 
tems that process personally identifiable information relative to eli- 
gibility, particularly like Medicare eligibility or enrollment dates 
and history of enrollments, we — I can’t speak for the HHS level. 
There are 11 operating divisions or agencies within HHS of which 
CMS is just 1 of the 11, so I don’t know if that scorecard reflects, 
you know, the individual CMS progress, but we can certainly look 
into that and get back to you. 

Mr. Meehan. Well, two of the three components that are going 
to be critical among these are the worst performers, but let’s — let’s 
on the part of this, is this is a dynamic network and people keep 
talking about the fact, well, information isn’t going to be connected 
here or stored in one particular place, but it’s just once one has ac- 
cess into this system, particularly in light now, the fact that it’s 
going to have so many different places in which responsibility for 
security will be contained, including, as best as I can understand, 
the fact that there are at least 15 States who will be operating 
their own exchanges. 

And Mr. Duncan, maybe you can speak to some of this, but as 
plan management — Mr. Duncan, does plan management include se- 
curity? 

Mr. Chao. I don’t think Mr. Duncan can speak to that. 

Mr. Meehan. Mr. Chao. Well, let me ask him this question as 
inspector general, does plan management include security? 

Mr. Duncan. Plan management should be considered when you 
build any application; it should be baked into the application, for 
sure. 

Mr. Meehan. Mr. Chao, are you saying plan management does 
not include security? 

Mr. Chao. No, I’m saying it does include security, and plan man- 
agement is a core function inside the federally facility 

Mr. Meehan. Okay. Well, here I have — and this is the report of 
the GAO that was done recently establishing, it says, for those 15 
FEEs which States will assist with plan management functions, 
CMS will rely on the States to ensure the exchanges are ready by 
October 2013. 

So, all of this work you are talking about, the fact of the matter 
is there is 15 different States and you’re basically saying, Ms. 
Tavenner, well, we are going to rely on them. They are going to 
sign documents that say that they are okay, but we are going to 
rely on them. This is your document. Is that accurate? Ms. 
Tavenner. 

Ms. Tavenner. I am trying to answer. Actually, it’s a little more 
interactive than that. We have oversight. Even when — what we do 
is we allow State-based exchanges to build their own platform, but 
we also work closely with them both on security plans, on plan 
management. 

Mr. Meehan. And how closely have you worked? Let me go down 
into the footnote, footnote 42. Seven of the 15 States submitted an 
application, were approved to assist and other plan management 
functions. Additional seven States were not required to submit an 
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application, and CMS officials indicated the agency has no formal 
monitoring relationship with the States. Instead, CMS conducted a 
1-day review of these States. 

So here we have the greatest data hub — the greatest data hub 
that has ever been put together with private information in the 
history of the government. It is going to be related back to your re- 
liance on the States to do it. You say you have oversight, and by 
the GAO’s report, what was done with seven of those States was 
you went and you spent one day on the review, presumably looking 
at a whole variety of issues, not just security. 

Ms. Tavenner. In this case, those seven States you’re talking 
about — I don’t have the benefit of your document, in front of me, 
but 

Mr. Meehan. This is the GAO report. 

Mr. Dicken, you made the report. 

Ms. Tavenner. Yes, I’ve read the report, but I’m just saying I 
don’t have that page in front me, but the seven page — the seven 
States that you’re referring to are actually interested in doing plan 
management, which is the work with the issuers, which is a func- 
tion they do today through their State insurance commission, and 
so we do work closely with the insurance commission. 

Mr. Meehan. Well, what do you do to assure the security of the 
system with them, because it seems to me that you are 

Ms. Tavenner. So the security of the system goes back to the 
hub and accessing the hub, which is part of our plan. So just be- 
cause they do plan management that’s out of State, they do not 
have a separate mechanism to enter the hub. To enter the hub the 
same way we’ve talked about, applies to all 50 States. The two are 
not the same. 

Mr. Chao. To add to that, we also conduct technical reviews, 
which include security components, and we sign the essential secu- 
rity documentation that’s needed and agreements, such as com- 
puter matching agreements and data use agreements, with all the 
States. So, there are other checks and balances that are in place, 
you know, as I mentioned earlier, the overall security framework. 

Mr. Meehan. What assurances do we have that the States are 
capable to protect the system, at least at their entrance point, and 
that your system is capable of protecting itself against the high 
level of — of effectively cyber attacks that are taking down the most 
sophisticated systems in the world. 

Mr. Chao. I think with ingress points and connection points with 
the federally operated IT and managed IT, I think we definitely 
apply, as you well know, under Homeland Security and at the de- 
partment level and even at the agency level, lots of continuous 
monitoring of the networks and intrusion. I think that 

Mr. Meehan. It’s saying that — the report that I just have that 
came down from the colleges says they can be months before any- 
body realizes that they are even in there. 

Mr. Chao. And I’m saying that with regard to the ability to im- 
pose the same Federal requirements on State systems and net- 
works, I don’t think we have applicable law that clears our ability 
to impose that on States, other than asking them to sign agree- 
ments. 

Mr. Meehan. My time is expired, and I need to respect the time. 
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So I will turn it over to the gentlelady from California, Ms. 
Speier. 

Ms. Speier. Mr. Chairman, thank you. 

You know, when Medicare was first passed as a law, there were 
huge cries by many in Congress about how it was going to be hor- 
rific and bring socialism into this country. Fast forward to when we 
were debating the Affordable Care Act and signs across this coun- 
try and at town halls that I was party to were signs that said, 
“Don’t touch my Medicare.” I believe that there will be a time when 
the signs will be, “Don’t touch my ACA benefits.” 

I am really apologizing to each of you for what I think has been 
a counterproductive engagement today. I think most of what has 
happened has been efforts to throw sand into the gears, and I don’t 
think that’s what this committee is supposed to do. We are sup- 
posed to drill down, to find out whether or not there are any over- 
sights, and if there are, help you fix those oversights. 

I have a lot of confidence in what you’re doing. It is not going 
to be perfect out of the shoot, it just isn’t, and I think we do great 
harm when we continue to spew out lies, much like the lies about 
the death panels. For those that have an agenda to dismantle the 
Affordable Care Act, this is not where they need to be. For those 
that want to make sure it works successfully, this is where they 
should be, and I want to thank each and every one of you for your 
efforts to try and make this a successful one. 

Now, I would like to ask one question. As you have weighed in, 
as you have dived deeply into this, implementation, is there is a 
particular area that you have some concerns about that we haven’t 
addressed that we should address either by legislation or by infor- 
mation that we convey to our constituents? 

Ms. Tavenner. I thank you for your support, and I would say 
that our biggest concern is that we have adequate resources to do 
the — to do the work. The President’s budget has proposed resources 
for 2014. It is important, if you want, and we want to take privacy 
and security seriously, we need to have the resources to be able to 
do that, and so I would appreciate your support in that area, and 
I thank you for your earlier comments. 

We have a great team at CMS, and we are working very hard, 
and we look forward to October 1st. 

Ms. Speier. Anyone else? 

Yes, Mr. Milholland. 

Mr. Milholland. As Mr. Werfel also commented about the budg- 
et issues, their primary concern is resources also, so I would echo 
Ms. Tavenner’s comments. 

Ms. Speier. Mr. Duncan. 

Mr. Duncan. Yes. The inspector general has three basic con- 
cerns, and I think I mentioned those in my initial testimony, but 
I’ll recap them. The protection of Federal tax data at exchanges, we 
believe, is a very specific requirement. The safeguards program at 
the IRS, we are currently doing an audit of that program as we 
speak, and we think they are going to need the resources and fund- 
ing to expand significantly to cover the additional State exchanges 
and its very specific requirements, as has been talked about before 
for that. 
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Also, the fraud prevention systems, that they’re ready by Janu- 
ary of 2015, that’s the return review program at the IRS, which 
brings analytics and stops the refund from going out the door, not 
after the fact and try to recoup it after the money is sent out. And 
also, the thing we’ve been talking about quite often, which is the 
interagency testing — this is all the components, including the IRS, 
that there is sufficient testing for the entire system, not just the 
pieces. Those would be my three concerns. 

Ms. Speier. All right. Thank you. 

Anyone else? 

Mr. Dicken. I can just note from our GAO report, you know, I 
think we highlight, I have two key areas that are remaining that 
are key for the October 1st implementation. We certainly talked a 
lot today about the data hub as a key tool for that. We talked now 
some about plan management as a separate core function. The last 
core function that we spoke to was consumer assistance. That’s an 
area where much of that is happening before October 1st and cer- 
tainly another core area where there have been some delays and 
then core activities that need to take place by October 1st. 

Ms. Speier. All right. Mr. Chairman, let me just end by sharing 
three quotations about how people were so exercised about Medi- 
care when it was being contemplated. Ronald Reagan, in 1961, 
said, “If you don’t stop Medicare, one of these days you and I are 
going to spend our sunset years telling our children and our chil- 
dren’s children what it once was like in America when men were 
free.” 

George H. W. Bush, in 1964, described Medicare as socialized 
medicine. 

Barry Goldwater said, in 1964, “Having given our pensioners 
their Medical care in kind, why not food baskets, why not public 
housing accommodations, why not vacation resorts, why not a ra- 
tion of cigarettes for those who smoke and beer for those who 
drink?” 

We really have got to get beyond the rhetoric 

Mr. Jordan. Would the gentlelady yield for a question? 

Ms. Speier. I am just closing. You can certainly carry on in your 
recount, but I would just say, rhetoric is not what we need to be 
talking about today. What we need to be talking about is the sum 
and substance of how we make this operate effectively, efficiently 
with privacy concerns resolved, with security concerns resolved and 
with the understanding that the fraud that may occur, if it is 
fraud, or just a misassessment of what one’s salary is, is that, at 
the end, it is going to be figured out and payments will be made 
back to the U.S. Treasury for the fraud that may have occurred 
when someone said they were making less when they were really 
making more. 

Now, any other fraud that occurs, it may be a subject that we 
would have to discuss further, but at this point, Mr. Chairman, I 
thank you for chairing this hearing, and you know, we have had 
a great relationship and I look forward to more of the same. 

Mr. Lankford. [Presiding.] Thank you. 

Let me ask a couple of questions here. We are getting close be- 
cause I know you all have been at this a very long time. The 
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verification that they qualify for a subsidy, is that done at the ex- 
change level or CMS? Who verifies that they qualify? 

Mr. Chao. The verification services are processed by CMS sys- 
tems for Federally Facilitated Marketplaces and via the hub con- 
necting to the income verification sources. 

Mr. Lankford. Okay. 

Mr. Chao. For State-based marketplaces, they do that them- 
selves connected to the hub via income sources. 

Mr. Lankford. So, with that, they’ve got to have access to all of 
that raw data to be able to make a decision. They are not just get- 
ting yes-no answers. When they pull data, they’re pulling data, so 
it’s entering fields. 

Mr. Chao. Yes, but it’s also — I don’t want folks to think that it’s 
a whole array of tax return information or health records. 

Mr. Lankford. Can we get a 

Mr. Chao. It’s very narrow. 

Mr. Lankford. Can we get a list, as it stands at this point right 
now, what information is coming down? Because I assume it’s on 
their 1040, line 47, such and such, this data is made available. I’m 
trying to find out what is made available to an individual in that. 
Because if the exchange makes the decision, that means they’ve got 
to have access to the raw data. 

Ms. Tavenner. We can get you information 

Mr. Lankford. That would be terrific. And just on the broad 
range. I’m sure it’s all been laid out at this point, obviously, to 
know what all that involves on it. 

This came up earlier, Ms. Tavenner, about the delay in the em- 
ployer mandate. You had mentioned late June, June 24th, that you 
had received notification that that was going to be delayed. 

Ms. Tavenner. Let me be clear. June 24tli or June 25th. 

Mr. Lankford. That’s fine. 

Ms. Tavenner. I’m not sure which day. 

Mr. Lankford. Yeah, that’s fine. Yeah, I wouldn’t hold you ac- 
countable to that, one way or the other. 

But the question is, this has to be an ongoing part of the con- 
versation. This was not a sudden decision late in June, that the ad- 
ministration thought this was a bad idea, let’s delay it. There were 
a lot of factors that went into it. 

Was the creation of this data hub and some of the connections 
between the employers submitting information about their insur- 
ance and what insurance that they’re providing to employees and 
the complicated nature of that, was that a part of this conversa- 
tion? 

Did CMS or IRS have conversations with the administration to 
say, “We’ve got all of this together. This is coming together well. 
We don’t yet know yet how we’re going to get employers to tell us 
their information on the employees”? 

Ms. Tavenner. Mr. Chairman, I cannot speak for IRS, but we 
did not have conversation. 

Mr. Lankford. So the first you’d heard about this at all or peo- 
ple at CMS had heard about this at all was June 24th or 25th? 

Ms. Tavenner. The first I heard of it. 

Mr. Lankford. Okay. 
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Would the IRS side — where are you? Because, at some point, it 
sounds like there will be — employers will have to submit, “My em- 
ployee has been offered this coverage.” Is that system in place? Is 
IRS prepared to be able to do that yet? 

Mr. Milholland. That particular deliverable is 2015. This direc- 
tion to move it to the right slides that, I think it was roughly about 
6 months, if I recall correctly. 

But, in any case, the IRS has to be prepared on day one with re- 
spect to those employers who choose to voluntarily provide the in- 
formation. So the fact that Treasury moved the requirement to the 
right for 

Mr. Lankford. No, my question is, was there dialogue between 
IRS, Administration, Treasury, whoever it may be, to be able to 
voice, “We don’t have a mechanism to yet be able to verify this with 
the employers”? So was that a part of the conversation? 

Mr. Milholland. That 

Mr. Lankford. Has there been a notification back? Because that, 
as you said, is voluntary at this point. That has all been moved a 
year back. What was the dialogue in advance. 

Mr. Milholland. I was not privy to that conversation. 

Mr. Lankford. Okay. Is there a mechanism in place — was there 
a plan to have a mechanism in place for 2014 for employers to be 
able to verify their employees do have qualified health plans? 

Mr. Milholland. The mechanism that was to be in place was 
that they would report to the IRS. 

Mr. Lankford. Right. 

Mr. Milholland. And, I mean, that was part of the require- 
ments — 

Mr. Lankford. Is that mechanism in place now? 

Mr. Milholland. No, it’s not. 

Mr. Lankford. Okay. When did that get pulled? Because I’m 
sure that didn’t get pulled June the 24th or 25th, as far as requir- 
ing that field to turned in. 

Mr. Milholland. But it’s part of the release that will come later, 
2015. I mean, it’s not in the system as of October 1, which we’re 
doing this year. 

Mr. Lankford. Right, I understand the date’s been moved on it. 
Prior to the 3rd of July, when it was announced that it’s going to 
be delayed, was this planned to be a part of the IRS reporting sys- 
tem — 

Mr. Milholland. The 

Mr. Lankford. — that employers would report starting in this 
year? 

Mr. Milholland. It was part of our plan but not to be imple- 
mented this year. 

Mr. Lankford. So, regardless, employers weren’t going to report 
either way? 

Mr. Milholland. That’s correct, this year. 

Mr. Lankford. Okay. So the delay that’s occurred, to say we’re 
not going to require that of employers this year, already lines up 
with what happening with data anyway? Or there was a change in 
the plan to gather data this year? That’s what I’m trying to deter- 
mine. 
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Mr. Milholland. I’m not sure I fully understand your question. 
I would just say again that the implementation of that employer 
reporting wouldn’t happen until 2015. 

Mr. Lankford. And that was the plan from the beginning? 

Mr. Milholland. From the beginning, yes, sir. 

Mr. Lankford. Okay. That’s what I’m — that’s all I’m trying to be 
able to determine from there. 

Ms. Tavenner, you mentioned earlier that there are third-party 
sources of financial information. You mentioned even Equifax or 
some other outside organization. What’s the connection there on 
the database with third-party organizations? 

Mr. Chao. We’re looking — because there was talk of the require- 
ment to have, you know, kind of, employer offering of coverage, we 
tried to look at our current contractor capabilities to see if there 
was some commercially available way to do that. And it’s just in 
conversation and discussion right now. 

Absent of, you know, when things were known or not known, it 
was just — ^you know, for me, it was understanding the requirement 
and seeing if there’s a data source that’s available. 

Mr. Lankford. And is that a hub-type relationship, to be able to 
pull data when it’s needed? Or is it a matter of getting data from 
them to be able to put on to the other piece? Because we’ve talked 
about two different functions here. 

Mr. Chao. Yes, pulling — it would be connected to the hub to pull 
that data from the 

Mr. Lankford. There’s a tremendous amount of credit informa- 
tion out there that’s in error, obviously. What I’m trying to deter- 
mine is, now that we’re fighting off three different agencies that 
have credit information, trying to get things fixed, we would now 
have to also add CMS into that mix, as well? That if there’s an 
error in my system, how would people know what is there 

Mr. Chao. I 

Mr. Lankford. — and whether they’d been accepted or denied? 
And how would they get that fixed? 

Mr. Chao. Chairman, I believe that when the — you know, saying 
“Equifax” and “credit report” is almost synonymous these days. 
When we work with a company, Equifax, they have lots of data 
sources that they make available. 

Mr. Lankford. Right. 

Mr. Chao. I think the employer offer of coverage, that potential 
for having that data, is part of their overall working with employ- 
ers to pull payroll information to help service benefit administra- 
tion, you know, kind of, practices for large employers for their em- 
ployees. I don’t think it falls under the FCRA, kind of, realm of 

Mr. Lankford. Right. But the thought on it is — well, there’s a 
whole bunch of issues. Just false information at all is hard enough 
to be able to track on it. 

But the thought is here, if they work for this certain employer, 
then they have been offered care, is the assumption there? Or is 
Equifax assuming that they’ll be somehow reported, there’s an em- 
ployee that works for me, this was one was offered, this one 
wasn’t? Is it just a matter of they have payroll data so they’re paid 
by this company, this company has a qualified health plan, so they 
must have been offered? Is that just the assumption? 
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Mr. Chao. Based on conversation with Equifax, they are having 
conversations with their employer clients that have this data rela- 
tionship, and they’re seeing if that’s something that the employer 
community wants to provide as a service or a benefit to their em- 
ployees so that they don’t have to constantly answer questions and 
queries about coming back to them about offer of coverage. 

Mr. Lankford. Ok^ay. 

One last question, and then Mr. Jordan, I think, has some wrap- 
up. And we need to get you all out of here, obviously. 

The individuals within the exchanges — and we’ve got an author- 
ized user that’s been authenticated. They’ve signed in. We know 
who they are; yes, they’re one of ours. In a State, they’re viewing 
data trying to make a decision; let’s say this is something that’s not 
automated. 

I assume most of the decisions are going to be made with param- 
eters and it’s going to be automated. Is that your assumption, as 
well? 

Ms. Tavenner. We are certainly going to encourage automation. 

Mr. Lankford. Yeah, I would assume the vast majority — you 
have millions of people coming through. Especially initially, those 
decisions aren’t going to be made on someone’s desk with a big 
stack. 

Ms. Tavenner. But it will no doubt be a combination of manual 
and automation. 

Mr. Lankeord. Okay. So that individual that’s there within a 
State that’s making a decision on it has access to all that informa- 
tion. The challenge becomes, do we have a system in place for back- 
ground checks for those individuals, limiting those individuals? 

If we visit with NSA, they can tell us exactly how many people 
have access to that information. And every time that information 
is accessed, there’s an accountability process with it. What I’m try- 
ing to determine is, there are occasionally authorized users that do 
have access to it but they use it in an unauthorized way, if that 
makes sense. 

Ms. Tavenner. So they’re — and I think the question you’re ask- 
ing is, who would help someone with an application? 

Mr. Lankford. No, not necessarily. No, it’s an individual that 
has access to the information; they’re authenticated as a person 
that is an employee there, whether it be a private contractor that 
works for a State or a State employees that’s been authorized to 
be a part of the exchange. They have access to that information. 

What boundaries are there that they don’t use that information 
for unauthorized purposes? 

Mr. Chao. From a program management perspective, when I 
talked about the harmonized security and privacy framework — and 
I did mention that there are some things that we cannot nec- 
essarily enforce upon States, but we can sign agreements with 
them. And in signing these agreements, they abide by certain secu- 
rity controls and thresholds that they, in essence, promise to up- 
hold as part of the security practices. 

Now, in the world of security and cybersecurity and awareness 
today and security policies and imposing this operationally, if you 
look at the multiple security frameworks that are available — Fed- 
eral Government, State government, and commercial — there is a 
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significant overlap, in that we adopt the same controls, such as, 
you know, access management, authentication to a certain degree 
of assurance in authorizing their entrance into the systems. So 
we’re in agreement on a very vast majority — large, vast majority of 
controls that are applied. 

Mr. Lankford. Right. I’m talking about just the background of 
how do we show that this person, once they’ve accessed data, that 
data that they accessed is for official purposes, not unofficial pur- 
poses. Because you now have data that was previously in a closed 
system that’s opening up a little bit to new people that have been 
accessing information. So it’s — am I making sense on that? 

Mr. Chao. Yes. Well 

Mr. Lankford. Again, it’s an authenticated user. It’s just not 
using it for authorized purposes. 

Mr. Chao. I think we have, you know, other security monitoring 
tools. We look at behaviors and trends in how people are using the 
system and 

Mr. Lankford. Right. We’ll follow up on that in the days to 
come. 

The SPR that we talked about. Safeguard Procedures Report, 
how many States currently have that, that that is done and com- 
plete? 

Mr. Milholland. Mr. Chairman, I’m told that all 15 have sub- 
mitted. 

Mr. Lankford. All 15 are done? 

Mr. Milholland. Yes. And I believe the Federal exchange has 
also. 

Is that correct? 

Yes. 

Mr. Lankford. I would hope that would be the easiest of all of 
them. 

Mr. Milholland. I would also add that we’ve begun our State- 
by-State or exchange-by-exchange safeguards reviews, literally, this 
week. 

Mr. Lankford. Well, that would be one to watch for, just unau- 
thorized use for unauthorized purposes is one to be able to watch 
and to be able to track on it. 

How many — by the way, on all of our States now for exchanges — 
this is off topic. I’m going to change to Mr. Jordan, because we’ve 
got to go. 

Do all of our States have more than one option on the exchange, 
at this point? Are there States that, when they get to the exchange, 
will only have one option when they get to the exchange? 

Ms. Tavenner. You’re talking about insurers now? 

Mr. Lankford. Yes, ma’am. 

Ms. Tavenner. We will not have all of that data until the end 
of July. But we are currently — and I think this State has been in 
the press. The State that we are most concerned about is Mis- 
sissippi. 

Mr. Lankford. Okay. 

Ms. Tavenner. Otherwise 

Mr. Lankford. So that it looks like all States will have more 
than one option on the exchange? 

Ms. Tavenner. Correct. 
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Mr. Lankford. Okay. Thank you. 

Mr. Jordan? 

Mr. Jordan. Thank you, Mr. Chairman. 

I just want to go back to where the chairman was and be clear. 
Ms. Tavenner, were you consulted at all before the decision was 
made to delay the employer mandate? 

Ms. Tavenner. I was not consulted. Now, part of that, in fair- 
ness, was I was also on vacation at the time. So I was actually noti- 
fied while I was on vacation. 

Mr. Jordan. Yeah. So you were notified. So you had a cell phone. 
So they got a hold of you, they could talk. I mean, you’re the head 
of CMS, and you weren’t even — they didn’t even talk to you before 
they made this decision? 

Ms. Tavenner. I think the decision was made with IRS as a pre- 
dominantly — 

Mr. Lankford. Mr. Chao, did they talk to you? Were you con- 
sulted before the White House decided to do this? 

Mr. Chao. No. 

Mr. Jordan. Mr. Milholland, were you consulted? 

Mr. Milholland. No, sir. 

Mr. Jordan. You weren’t consulted? 

Mr. Milholland. No, sir. 

Mr. Jordan. Mr. Werfel told us — told me about an hour ago you 
were the expert, and they didn’t even call you? 

Mr. Milholland. I was not consulted. 

Mr. Jordan. Was Mr. — to your knowledge, was Mr. Werfel con- 
sulted? 

Mr. Milholland. I believe Mr. Werfel said he received notifica- 
tion on 

Mr. Jordan. So none of the people who are going to be imple- 
menting this were even asked, is this the right move? 

Was Sarah Hall — to your knowledge, Mr. Milholland, was Sarah 
Hall Ingram consulted? 

Mr. Milholland. I do not know. 

Mr. Jordan. That’s amazing to me. 

You know, Ms. Speier talked about folks who want to throw a 
train wreck into — or throw a — mixed metaphor — throw sands into 
the gears. I would just remind, it hasn’t been Republicans who — 
and we have Mr. Baucus, one of the architects of the law, calling 
it a train wreck. We have the President suspending the law with- 
out consulting the people who have to actually make it work. 

Mr. Chao, you made a statement back in March that you hoped 
the exchanges wouldn’t be a, quote, “third- world experience.” So 
you obviously had some knowledge and some concerns to prompt 
that statement. Are those concerns still relevant, still valid? 

Mr. Chao. I was speaking before an audience of issuers that I 
had spoken to before, and it was a poor attempt at humor. So I 
wouldn’t necessarily 

Mr. Jordan. I don’t know that it was a poor attempt at humor. 
It may have been — ^you know, you may have been a visionary, you 
may have been a prophet. 

I mean, this is — the fact that they didn’t even talk to you is what 
I think is amazing. You don’t talk to the head of CMS, you don’t 
talk to the head of the IRS, you don’t talk to the person at the IRS 
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who is actually in charge of the Affordable Care Act Office, you 
don’t talk to the technical database expert, Mr. Milholland. You 
just decide one day you’re going to waive part of the law. 

I mean, we had the previous Democrat talk about when Medicare 
was — I’d be your curious to know if the President at the time Medi- 
care was implemented, if he asked for a delay in the law. Maybe 
he did, but I don’t know about it. 

This is amazing. 

But let me ask you one specific question, Ms. Tavenner. In Feb- 
ruary of this year, HHS System of Records Notice includes the fol- 
lowing statement: “The Secretary” — ^you — “along with other appro- 
priate agencies, will establish an appeals process for individuals 
and employers when eligibility is denied as a result of inconsist- 
encies between information obtained from applicants and enrollees 
and employers and information and data verified through the ex- 
change.” 

I have no idea what all that means; I hope you can tell me. 
Maybe you can define what “inconsistencies” are. Do you have a 
list of what those may be? You obviously anticipate problems be- 
cause you’re setting up an appeals process, so can you give me 
some insight into that? 

Ms. Tavenner. So the appeals process is required in the law, but 
I will remind you, there’s also an appeals process today in Medicaid 
and CHIP and other programs, because sometimes 

Mr. Jordan. I understand that. Do you have — but, I mean, spe- 
cifically, what are you thinking about? Obviously, you think that 
it’s going to happen. The law requires you have some kind of ap- 
peals process. That makes sense to me; we understand that. What 
are some of the anticipated inconsistencies? 

Ms. Tavenner. So I think perhaps people submit information 
and they get denied, and they believe their information was incor- 
rect and they want to bring new information forward. But I’ll be 
happy to get you a list. 

Mr. Jordan. So you don’t know what the list is. You just use the 
term “inconsistency” because you anticipate there’s going to be 
problems. 

Ms. Tavenner. No, we’re 

Mr. Jordan. You anticipate this, in fact, could be a train wreck. 
You anticipate, in fact, this could be a third-world experience. 

Ms. Tavenner. I do not anticipate that. And the — we are cur- 
rently in rulemaking on the appeals process, and the final rule will 
be out shortly. 

Mr. Jordan. Do you think the — do you think everything could be 
up and running, working on October Ist, and the start of next year, 
this law can be fully implemented, working, you think it can all 
function the way it’s supposed to, the way the folks who voted for 
it designed it to, do you think that can all happen? 

Ms. Tavenner. Yes, sir. You know, my background has been 

Mr. Jordan. Okay. So if you think that can all work, you would 
think the administration would call you up and consult with you 
before they decided to say, ‘You know what? We don’t think it can, 
and we’re going to delay part of it.” That seems logical to me, 
doesn’t it? 
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Doesn’t that seem logical to you, that you, the person in charge 
of it, would be called, would be consulted? Don’t you think it makes 
sense for you to be consulted before a major decision, a major ele- 
ment of the law is simply waived for a year? 

Ms. Tavenner. The employer mandate rests within IRS 

Mr. Jordan. That’s not what I asked. Don’t you think it makes 
sense for you, the head of CMS, charged with implementing this 
law, don’t you think it makes sense for you to be consulted? 

Because if you don’t, then that’s scary, too. If you don’t think, as 
the person who heads CMS, you should be consulted before a major 
decision to unilaterally just delay part of the law should take place, 
if you don’t think you should be consulted, then I’ve got concerns 
on that side, as well. 

So do you think you should’ve been consulted? 

Ms. Tavenner. I think I’ve been consulted all along. 

Mr. Jordan. Well, no, that’s not — ^you just told me — 4 minutes 
ago, you just told me you weren’t consulted. 

Ms. Tavenner. I’m 

Mr. Jordan. So which one is it? Because you have to tell us what 
really happened. You can’t have it both ways. Were you consulted 
or weren’t you consulted? 

Ms. Tavenner. I was not consulted. I’m just saying that 

Mr. Jordan. Well, then 

Ms. Tavenner. — in the last year 

Mr. Jordan. Now, wait a minute. So, then, 10 seconds ago, you 
just said you were. 

Mr. Lankford. I’ll ask the gentleman to let her answer. 

Ms. Tavenner. Please let me finish my sentence. 

Mr. Jordan. I want you to finish, and I just want you to finish 
it truthfully, because you’ve told me two different things. 

Ms. Tavenner. Well, I take objection to that, because I’ve told 
you the truth. 

Mr. Jordan. We can read the transcript. 

Mr. Lankford. I would ask the gentleman to let her finish an- 
swering. 

Ms. Tavenner. Thank you. 

So the last 3-1/2 years, I actually started 

Mr. Jordan. I want you to answer one question. Were you con- 
sulted or not? And now I’ll let you answer. 

Ms. Tavenner. I’ve said I was 

Mr. Jordan. Were you consulted? 

Ms. Tavenner. — not consulted. 

Mr. Jordan. Okay. Thank you. 

Thank you, Mr. Chairman. 

Ms. Tavenner. And I guess I won’t get to finish my 

Mr. Lankford. No, go ahead. You can respond. 

Ms. Tavenner. For the last 3-1/2 years. I’ve worked at CMS. I 
started at the time that the rule — that the law was actually 
passed. And I have been an integral part of every decision that’s 
made. 

In the case of the IRS and the employer mandate, I was not con- 
sulted. 

I do feel like I’m part of the process. 

Thank you. 
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Mr. Lankford. And, by the way, we assumed you are part of the 
process. You have been an integral part of that. That’s somewhat 
the surprise to us. We’re trying to figure out where this came from. 
And it is a major shift in what’s happening. And we assumed there 
was some conversation in trying to figure out the whys and the 
whats with it. And that clarification has not come. We’ve also writ- 
ten letters to the administration to try to get some clarification. So 
it’s not just on you. It’s a surprise, as well. We would assume that 
IRS and CMS would be consulted on this process and would be a 
part of the decision-making. 

You all have had a very long day. I appreciate you being here. 
I hope you get a nice, relaxing lunch where it’s quiet and to be able 
to get some time away on that. 

With that, this hearing is adjourned. 

[Whereupon, at 1:10 p.m., the subcommittees were adjourned.] 



APPENDIX 


Material Submitted for the Hearing Record 


I had my staff check with current IRS disclosure counsel and one 
retired disclosure counsel. None of the people we checked with 
recalled a situation where the Inspector General told the IRS that a 
planned release of information by the IRS would constitute a section 
6103 violation after IRS disclosure counsel determined that particular 
material was releasable to the public or to Congress under section 
6103. 


Daniel I. Werfel 
July 17, 2013 
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Ranking Member Yvette D. Clarke (D-NY) 

Committee on Homeland Security 

Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technology 

Joint hearing with Committee on Oversight and Government Reform Subcommittee on Energy 
Policy, Health Care and Entitlements; 

“Evaluating Privacy, Security, and Fraud Concerns with ObamaCare’s Information 

Sharing Apparatus” 

2154 Rayburn House Office Building - Wednesday, July 17, 2013 

When President Obama signed the Patient Protection and Affordable Healthcare Act, or as we now fondly call it, 
ObamaCare, in the East Room of the White House on March 23, 2010, the federal government started making plans to 
operate health care insurance marketplaces, also called exchanges, and to assist states that opted to run their own 
exchanges, by developing a complex web-based service that would allow millions of Americans access to affordable 
health care in the most efficient and safest way possible. 

This was an enormous undertaking, and includes a complex federal and state inter-agency software and database effort, 
commonly known as a ‘federal data services hub’, based at the Department of Health and Human Services. What is 
important about this effort is that we must create, collect, and use or disclose the personal information of millions of our 
citizens in a responsible and confidential way. 

The health care exchanges must establish and implement cyber and personal information protection standards that are 
consistent with specific principles outlined in our existing health care law. 'fhose principles, which are comparable to the 
ones upon which the Health Insurance Portability and Accoimtability Act privacy rule, and other federal privacy 
standards, are based. 

These principles include; providing a right of access to one’s Personally identifiable information or Pii and a right to have 
erroneous information corrected; also, the principles must ensure openness and transparency about the policies, 
procedures, and technologies of the Affordable Care Act; and lastly, provide accountability through appropriate 
monitoring, and reporting of information breaches. 

Healthcare Exchanges must also establish and inclement reasonable operational, technical, and physical safeguards to 
protect the confidentiality, integrity, and availability of Personally identifiable infoimation (Pii), and to prevent 
unauthorized or inappropriate access, use, or disclosure. In addition. Health Exchanges must monitor, periodically access, 
and update their security controls, and develop secure electronic interfaces when sharing Pii electronically. 

We are going to hear testimony today about the massive efforts that the Centers for Medicare and Medicaid Services have 
made to stand-up this essential core of ObamaCare. I know that we will learn much from this undertaking, and it will help 
us deliver health care to those citizens who really need it. 

Today, I want to hear how the Centers for Medicare & Medicaid Services, or CMS, has approached getting its key 
activities completed, including those activities that deal with the development of the "data hub" that will connect the 
exchanges with other federal and state agencies to determine applicants' eligibility, and review the certification of the 
health insurance plans offered to consumers. We want to help this effort in every way we can, and I look forward to the 
testimony today. 
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Topics for discussion 

■ IT ACA 3.0 Readiness for Open Enrollment (October 201 3) 

■ Data Safeguards 

■ Impacts on Employers 

■ Fraud Prevention 

■ Conclusion 
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The IRS is ready to support the new Health Exchange system 


15 





Our current efforts are centered around ACA 3.0 (functionality to support 
eligibility and enrollment) and meeting key delivery dates... 




ACA 3.£] 

j • Determine income and family size and caJculale maximum Advance Premium Tax Credit (APTC) 
j Provide real-time transactional responses to incoming requests 

Or»|.n FnrnHnipn** Provide responses to bulk requests 
*' _ *1 Establish ACA Coverage Data Repository (CDR) Database 

L cl j Expand call center capacity 

- Provide scripting to reroute callers to Centers for Medicare and Medicaid Services (CMS) 

“ ^ *='1 Support ba ic reporting capabilities 


ACA 3.0 Release Status 

■ Systems development is scheduled to complete in April; Change Management process in 
place to manage late changing requirements 

= Completed Interagency Testing Phases 1-3 (validated communications and data 
transmission); completing last phase of interagency testing (Phase IV) for the new 
Healthcare Exchange by May 2013 

® Planning for deployment is taking place as part of joint Business/IT Organizational 
Readiness activities 

■ On target to deploy “open enrollment” capabilities in October 2013 
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Common Pngium 






As o< 4/12/2013 
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Release and Safeguarding of Federal Tax Information 


Background 


■ Federal tax law imposes strict privacy protections that bar IRS from disclosing Federal Tax 
Information (FTI) except as specifically authorized by Congress. This encompasses both the 
release of the data by the IRS and the safeguarding of data in the hands of the recipients. 

■ ACA added section 6103(l)(21) to authorize IRS to disclose FTI to Exchanges, Medicaid, and 
CHIP agencies (and their contractors) to support income verification for ACA needs-based 
eligibility determinations. Recipient agencies must protect FTI as a condition of receipt. IRS is 
responsible for regular auditing of federal and state agency compliance with FTI safeguard 
requirements 

■ If FTI will travel beyond the “(l)(21 )” agencies, IRS must be confident that the individuals who will 
see this data are who they say they are (ID proofing, or IDP) and have proper authorization (or 
consent), to see the data. 

■ The “on-line, near-real-time” statutory goal for the ACA eligibility and enrollment process poses 
different challenges than existing inter-governmental data sharing models. Applications may 
include multiple people not on the same tax return and may be prepared/seen by “assisters”. 
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Release and Safeguarding of Federal Tax Information (cont’d) 
Status: 


■ Before FTl is released to any Exchange, Medicaid or CHIP agency for open enrollment starting 
10/1, appropriate safeguards must be in place, agreements signed, and IRS approved. 

■ FTl will be withheld from agencies that fail to establish adequate safeguards to protect taxpayer 
confidentiality. 

■ IRS collaborated with HHS to incorporate safeguard requirements into the minimum security 
requirements for state agencies receiving federal data, including FTl. 

■ IRS meets continuously with every state and federal government entity that might receive (l)(21) 
data to provide outreach and education, one-on-one consultations and technical assistance on 
IRS data security requirements. 

■ While other federal and state government entities have experience creating the necessary 
safeguards, it is clear that the new and expanded use of tax data (especially on-line/real-time) goes 
beyond pre-ACA experience and infrastructure. 


Key milestones: 


■ Jan - July 2013 - IRS participate in HHS readiness reviews and cross functional working teams, 
provides assistance in completing required security and privacy artifacts 

■ April - July 201 3 - Exchanges, Medicaid and CHIP agencies submit draft written plans to protect FTl 

■ July - September 2013 - IRS must approve written safeguard plans prior to disclosure on 10/1/2013 
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impacts on Employers 


All employers who self-insure 

IRC 6055 - Information return to each covered person concerning the individuals covered by the 
policy/program and costs, broken out by month. 

Larger employers 

IRC 6056 - Annual information return to each full-time employee (copy to IRS) about whether the 
employer offered insurance to its full-time employees: 

■ If not, why; if so, then to whom, the premium cost and whether the employee enrolled; 

■ Statute requires data be broken out by month. 

IRC 4980H - Employer Shared Responsibility Provision 

■ If the employer fails to offer to at least 95% of its full-time employees, or the employer offers 
but it is unaffordable or of insufficient quality, AND at least one employee obtains a premium 
tax credit. 

■ Amount of the tax depends on whether the employer offered insurance and/or on how many 
employees obtain the premium tax credit. 

Smaller employers 

HHS - access to affordable small-group market marketplace, or SHOP exchange 

IRC 45R - tax credit for smallest employers to assist with cost of employer-sponsored insurance (after 
12/31/13 available only through the SHOP) 
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Fraud Prevention 

The IRS is working across agencies, and across various 
data sets, to prevent, detect and treat both errors and 
real fraud 

■ IRC 36B -- Premium Tax Credit 

■ IRC 6055 and 6056 - Coverage Information Returns 

■ IRC 4980H - Employer shared responsibility provision 

■ IRC 5000A- Individual shared responsibility 

■ IRC 45R - Small employer health care tax credit 
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In Conclusion 

■ IRS is on track to deliver major new systems and data to support 
exchange stand-up on October 1®*, 2013 

■ Continued areas of focus include: 

■ Governance and interagency collaboration (CMS) 

■ IT readiness for each major release 

■ Release and safeguarding of Federal Tax Information 

■ Measures to combat fraud 

■ Customer service for 2013, 2014 and 2015 
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Ranking Member Bennie G- Thompson (D-MS) 

Committee on Homeland Security 
Statement for the Record 

Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technology 

Joint hearing with Committee on Oversight and Government Reform Subcommittee on 
Energy Policy, Health Care and Entitlements: 

“Evaluating Privacy, Security, and Fraud Concerns with ObamaCare’s Information 

Sharing Apparatus” 

2154 Rayburn House Office Building - Wednesday, July 17, 2013 


President Obama signed the Affordable Care Act (ACA) in the East Room of the White House on March 23, 

2010 . 

That act called for the federal government to operate health care insurance marketplaces and develop a complex 
computer web-based service that will allow millions of Americans access to affordable health care. 

Creating this web-based system will require the Federal govermnent to collect and use the personal information of 
millions of our citizens in a responsible and confidential way. 

These computer systems must safeguard the Personal Identilying hiformation of the millions of people who will 
sign up to purchase health care under the ACA. 

Our constituents want assurances that if these systems are breached and persona! information Is hacked, the 
government will act quickly to inform the public about the extent of the breach and the corrective actions taken. 

The public has a right to expect these protections. And I am happy to report that these protections are in the law. 

So if the law provides safeguards to protect the personal Identifring information of the people who enroll in the 
system, why are we here today? 

Wliat can we learn about the safeguards before the system has been completed? 

We can ask whether, at tliis point, there are any known risks or weaknesses in the system. 

And that is why I asked GAO to appear at this hearing. In June, GAO issued a report that clearly stated that tliis 
system is not finished. 

GAO said that the part of the system that is the responsibility of the federal government appears to be on 
schedule. 

Unfortunately, GAO also found that there are actions that the states must take along with the Federal government. 
Those actions are lagging behind. 
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So, if we are concerned about the actions that may compromise the efficacy of this system, I would suggest that 
we hear testimony from the representatives of those states tliat lag behind. They need to explain why they have 
agreed to establish exchanges but have failed to take the necessary actions. 

And we need to find out whether these states need additional help to complete their part of this complex system. 
In other words, we need to do oversight that seeks solutions and improves the working of government. Because 
that is what the people sent us here to do. 

We do not need to conduct the kind of oversight that seeks to instil! irrational fears for political gain. 

We need to be clear. At tills point there is no evidence that this system is being constructed in a way that would 
allow anyone’s personal information to be lost or stolen. 

However, we do know that computer systems get hacked every day. And when those systems are hacked, 
responsible companies alert their customers, find the problem and make corrections. And we must be certain that 
the Federal government does the same thing with this computer system. 

It would be irrational to use the mere possibility of breach to stop the efforts to construct this web-based system. 
We would not call for the abandonment of on-line shopping simply because the credit card company gets hacked. 

A few months ago, the Federal Reserve got hacked. No one called for the closing of the federal monetary system. 

And why not? Because we all know iliat Hacking Happens. 

It is not my intention Co downplay the significance of hacking. Wc all know that the threat is real and to be the 
victim of identity theft or similar crimes can be devastating. The solution is not to shut down all the computers 
and go home. The sound course of action is to build a safe and secure system with con^ant monitoring that is 
responsive and accountable. 

Of course we can choose not to follow a sound course of action. I think that leaves us two options. One option is 
to walk away from millions of Americans who need affordable health insurance. We could give up because it is 
hard and it has risks. But something about that doesn’t seem Amencan to me. 

The second option is to be like our friends in Russia. Because the government fears hackers, they have recently 
aimounced that some government agencies will switch from using computers to using typewriters and paper files. 
That doesn’t seem like progress to me. 

This country must continue moving forward. 

We are going to hear testimony today about the efforts that the Centers for Medicare and Medicaid Services have 
made to construct this system. At tliis point in the process, much work has been done and much remains to be 
done. 

I look forward to hearing about the challenges of this system and learning about what Congress should do to 
assure that the Executive Branch is able to implement this law passed by us and luled constitutional by the 
Supreme Court. 
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For Press inquiries, please contact Adam Coxnis at (202) 225-9978 
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